CVE-2022-31298

Vulnerability

The ads comment section of Haraj v3.7 does not properly sanitize user-supplied input submitted via POST request. An attacker can inject arbitrary JavaScript or HTML into a comment, leading to stored cross-site scripting (XSS). The vulnerable component is present in all installations of Haraj v3.7.

Exploitation

An unauthenticated attacker can craft a POST request to the comment endpoint containing a malicious payload (e.g., ``). The payload is stored on the server and executed in the browsers of any user who views the affected ad comment. No special privileges or user interaction beyond viewing the page are required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement of the page, theft of sensitive data (e.g., cookies, CSRF tokens), or further actions such as redirecting users to malicious sites.

Mitigation

The available references do not explicitly mention a patch for this vulnerability. However, Haraj v3.8 (described in reference [2]) includes various updates and may contain a fix, though this is not confirmed. Users are advised to contact the vendor or upgrade to the latest version if available. No official workaround is documented.