CVE-2022-31301

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Post Ads component of Haraj v3.7 [1]. The application fails to properly sanitize user-supplied input when creating or editing ad posts, allowing malicious script code to be stored and later executed in the context of other users' browsers. The issue is present in the affected version 3.7, as referenced in the advisory [1].

Exploitation

An authenticated attacker with the ability to create or edit ad posts can exploit this vulnerability by injecting malicious JavaScript into ad fields (e.g., title, description) without proper sanitization [1]. No special network position is required; the attacker only needs a valid user account on the Haraj instance. Once the crafted ad is saved, the script executes automatically whenever other users view the ad post.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser, potentially resulting in session hijacking, credential theft, or defacement of the affected site [1]. The attacker's code can perform any action available to the victim user, including modifying content or stealing sensitive data.

Mitigation

As of the available references, no official patch has been released for Haraj v3.7 [1]. Administrators should consider upgrading to a newer version (e.g., v3.8) that may contain fixes, or apply generic input sanitization and output encoding controls as a workaround [3]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.