CVE-2022-31300

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the DM Section component of Haraj v3.7 [1]. The application does not properly sanitize user input submitted via a POST request to the messaging functionality, allowing arbitrary HTML and JavaScript to be stored and later rendered in the context of other users' browsers [1].

Exploitation

An attacker must be an authenticated user of the Haraj v3.7 platform [1]. The attacker sends a crafted POST request containing malicious script code to the DM Section endpoint [1]. No elevated privileges beyond standard user authentication are required [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS). The attacker's injected script executes in the browsers of other users who view the affected DM messages [1]. This can lead to session hijacking, credential theft, or defacement within the application's security context [1].

Mitigation

As of the publication date (2022-06-16), no official patch or fixed version has been released for Haraj v3.7 [1]. Upgrading to a newer version of the script (e.g., Haraj v3.8, as referenced by the vendor [3]) may address this issue if the messaging component was updated [1][3]. Users are advised to contact the vendor for a fix or apply input sanitization on the DM POST endpoint as a workaround [1].