CVE-2022-30349

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in SSCMS (SiteServer CMS) version 6.15.51 [1][2]. The flaw resides in the modalRelatedFieldItemEdit.aspx endpoint, which fails to sanitize user-supplied input for the TbItemName parameter. A logged-in administrator or user with access to related field editing can inject arbitrary JavaScript or HTML content that is then stored and displayed in the application [3].

Exploitation

To exploit the vulnerability, an attacker must be authenticated and have permissions to access the related field item editor. The attacker sends a POST request to /SiteServer/cms/modalRelatedFieldItemEdit.aspx with a malicious payload in the TbItemName parameter. For example, the value `` triggers a JavaScript alert when the stored value is rendered in a browser [3]. No additional user interaction beyond the victim viewing the affected page is required.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of authentication cookies, session impersonation, defacement, or redirection to malicious sites. The stored nature of the XSS means that any user browsing the related field item could be affected, amplifying the attack's reach [2][3].

Mitigation

As of the publication date (2022-05-27), no official patch was available for version 6.15.51. Users should monitor the SSCMS repository [1] for updates or apply input validation and output encoding controls at the application or WAF level. The vulnerability is not listed on CISA's known exploited vulnerabilities (KEV) catalog.