CVE-2022-37254

Vulnerability

DolphinPHP version 1.5.1 is vulnerable to stored Cross-Site Scripting (XSS) in the configuration management function accessible via Background -> System -> system function -> configuration management [1]. The application fails to sanitize user input in the configuration title field, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

An attacker with administrative access to the DolphinPHP backend can exploit this vulnerability by navigating to the configuration management page and adding a new configuration [1]. In the configuration title field, the attacker inserts a payload such as t"> [1]. After saving and refreshing the page, the injected script executes whenever the configuration page is viewed [1].

Impact

Successful exploitation leads to stored Cross-Site Scripting (XSS), enabling an attacker to execute arbitrary JavaScript in the context of the administrator's browser session [1]. This can result in session hijacking, data theft, defacement, or redirection to malicious sites [1].

Mitigation

As of the publication date of 2022-08-19, no official patch has been released for DolphinPHP 1.5.1 [1]. Administrators should apply input validation and output encoding for the configuration title field. Restricting access to the configuration management page to only trusted users may reduce risk until a fix is available [1].