CVE-2022-26246

Vulnerability

TMS v2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the /TMS/admin/setting/mail/createorupdate endpoint. The application fails to sanitize user-supplied input before storing it, allowing arbitrary JavaScript to be injected via the port parameter or other fields. The unsanitized data is passed directly to the setting method of AdminController and executed when the page is rendered [1].

Exploitation

An attacker with administrative access to the TMS application can exploit this vulnerability by navigating to the system settings page (/TMS/admin/setting), entering malicious JavaScript (e.g., ``) into the mail configuration form, and saving the changes. The injected script is stored and executed in the context of any user who views the affected settings page, including the attacker themselves [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user accessing the mail settings page. This can lead to session hijacking, defacement, or theft of sensitive data displayed on the page. The attack is remote and does not require user interaction beyond the initial save by an admin [1].

Mitigation

As of the publication date, no official patch has been released for TMS v2.28.0. Users should restrict access to the admin panel to trusted individuals and consider applying input validation and output encoding as a workaround. Monitor the vendor's repository for future updates [1].