CVE-2022-30494
Description
In oretnom23 Automotive Shop Management System v1.0, the first and last name user fields suffer from a stored XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Automotive Shop Management System v1.0 allows remote attackers to gain admin access and view internal IPs.
Vulnerability
A stored Cross-Site Scripting (XSS) vulnerability exists in oretnom23 Automotive Shop Management System v1.0 [1]. The first name and last name user fields on the profile page do not sanitize input, allowing an attacker to inject arbitrary JavaScript [1]. The code path is reachable by any authenticated user navigating to the profile page.
Exploitation
An attacker must first be logged in as a regular user. They then navigate to the profile page and enter a malicious payload (e.g., ">) into either the first name or last name field [1]. When an administrator views the attacker's details, the injected script executes in the admin's browser [1]. No additional privileges or user interaction beyond viewing is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an authenticated admin session [1]. This can lead to session hijacking, admin account takeover, and disclosure of internal IP addresses [1]. The attacker gains full admin access to the application.
Mitigation
No official fix has been released as of the publication date [1]. The vendor (oretnom23) has not provided a patch or workaround [1]. Users should consider restricting access to the management system or implementing a Web Application Firewall (WAF) to filter XSS payloads.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- oretnom23/Automotive Shop Management Systemdescription
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping in the first name and last name fields allows stored cross-site scripting.""
Attack vector
An attacker first navigates to the profile page and injects a JavaScript payload (e.g., `">
Affected code
The vulnerability exists in the user profile page of Automotive Shop Management System v1.0, specifically in the first name and last name input fields [ref_id=1]. The application does not sanitize or escape user-supplied input before storing it in these fields.
What the fix does
No patch or official fix is provided in the available references [ref_id=1]. The advisory does not include remediation guidance from the vendor. To close this vulnerability, the application must properly validate, sanitize, and escape user input in the first name and last name fields before storing or rendering it, and should apply output encoding when displaying user-controlled data in the browser.
Preconditions
- authAttacker must have a valid user account to access the profile page
- inputAn administrator must view the attacker's profile details to trigger the stored XSS
Reproduction
Step 1: Log in and navigate to the Profile Page. Step 2: Enter the XSS payload `">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/nsparker1337/OpenSource/blob/main/exploit_xss_asms.mdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.