CVE-2022-34833

Vulnerability

VERMEG AgileReporter version 21.3 contains a stored cross-site scripting (XSS) vulnerability in the Analysis component. An authenticated user with low privileges can inject arbitrary JavaScript via the comment input field on the Activity log of a Return. The payload is stored and later executed when an admin views the comments in the Analysis dashboard. [2]

Exploitation

An attacker with low-privileged access (e.g., a user who can add comments) navigates to a Return's Activity log, clicks "Add comment", and enters a malicious payload such as <img/src=\%00\ onerror=this.onerror=confirm(3)>. After saving, the admin must open the Analysis module, select the same Return, create a report, and then click Menu → Comments. This triggers the stored payload in the admin's browser. [2]

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the admin's session. This can result in data theft, session hijacking, or further actions within the AgileReporter application, potentially compromising sensitive financial data. The attack requires user interaction from an admin to view the comments.

Mitigation

As of the publication date (2023-10-27), no official patch has been announced by VERMEG. The vendor's website [1] does not mention a fix. Users should restrict comment functionality to trusted users, apply input sanitization, or upgrade to a patched version if available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.