Moderate severityNVD Advisory· Published Nov 13, 2022· Updated Apr 15, 2025

NukeViet CMS Data URL Request.php filterAttr cross site scripting

CVE-2022-3975

Description

A vulnerability, which was classified as problematic, has been found in NukeViet CMS. Affected by this issue is the function filterAttr of the file vendor/vinades/nukeviet/Core/Request.php of the component Data URL Handler. The manipulation of the argument attrSubSet leads to cross site scripting. The attack may be launched remotely. Upgrading to version 4.5 is able to address this issue. The name of the patch is 0b3197fad950bb3383e83039a8ee4c9509b3ce02. It is recommended to upgrade the affected component. VDB-213554 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-3975 is a stored XSS vulnerability in NukeViet CMS's filterAttr function affecting data URL handling, fixed in version 4.5.

Vulnerability

Overview

CVE-2022-3975 is a cross-site scripting (XSS) vulnerability discovered in NukeViet CMS. The flaw resides in the filterAttr function within the file vendor/vinades/nukeviet/Core/Request.php, specifically in the Data URL Handler component. The function fails to properly sanitize the attrSubSet argument, allowing an attacker to inject malicious scripts through crafted data URLs [1].

Exploitation

Details

The vulnerability is remotely exploitable without requiring authentication. An attacker can manipulate the attrSubSet parameter to inject arbitrary HTML or JavaScript code into a page processed by NukeViet CMS. The commit diff shows that the original sanitization did not adequately handle spaces between characters in tags like `, nor did it properly decode HTML entities before performing security checks. The patch introduces a call to unhtmlentities()` before the data URL regex and adds additional script tag filtering with flexible whitespace matching [3].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of a victim's browser session, potentially leading to session hijacking, defacement, or theft of sensitive data. Since the attack is stored in pages processed by the CMS, any user viewing the affected content could be impacted [1].

Mitigation

The issue has been resolved in NukeViet CMS version 4.5. Users are strongly advised to upgrade immediately. The specific patch commit is 0b3197fad950bb3383e83039a8ee4c9509b3ce02, which implements more thorough input sanitization and script filtering [1][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nukeviet/nukevietPackagist	< 4.5	4.5

Affected products

ghsa-coords
pkg:composer/nukeviet/nukeviet
Range: < 4.5
NukeViet/CMSv5
Range: n/a

Patches

0b3197fad950

Tiếp tục fix lỗi XSS

https://github.com/nukeviet/nukevietNguyen Anh TuOct 29, 2022via ghsa

commit

1 file changed · +9 −4

vendor/vinades/nukeviet/Core/Request.php+9 −4 modified

@@ -743,8 +743,10 @@ private function filterAttr($attrSet, $tagName, &$isvalid)
                 $attrSubSet[1] = preg_replace("/^\'(.*)\'$/", '\\1', $attrSubSet[1]);
                 $attrSubSet[1] = str_replace(['"', '&quot;'], "'", $attrSubSet[1]);
 
+                $value = $this->unhtmlentities($attrSubSet[1]);
+
                 // Security check Data URLs
-                if (preg_match('/^[\r\n\s\t]*d\s*a\s*t\s*a\s*\:([^\,]*?)\;*(base64)*?[\r\n\s\t]*\,[\r\n\s\t]*(.*?)[\r\n\s\t]*$/isu', $attrSubSet[1], $m)) {
+                if (preg_match('/^[\r\n\s\t]*d\s*a\s*t\s*a\s*\:([^\,]*?)\;*[\r\n\s\t]*(base64)*?[\r\n\s\t]*\,[\r\n\s\t]*(.*?)[\r\n\s\t]*$/isu', $value, $m)) {
                     if (empty($m[2])) {
                         $dataURLs = urldecode($m[3]);
                     } else {
@@ -758,7 +760,10 @@ private function filterAttr($attrSet, $tagName, &$isvalid)
                     }
                 }
 
-                $value = $this->unhtmlentities($attrSubSet[1]);
+                if (preg_replace('/\<\s*s\s*c\s*r\s*i\s*p\s*t([^\>]*)\>(.*)\<\s*\/\s*s\s*c\s*r\s*i\s*p\s*t\s*\>/isU', '', $value)) {
+                    continue;
+                }
+
                 $search = [
                     'javascript' => '/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/si',
                     'vbscript' => '/v\s*b\s*s\s*c\s*r\s*i\s*p\s*t/si',
@@ -825,7 +830,7 @@ private function filterAttr($attrSet, $tagName, &$isvalid)
     private function filterTags($source, &$isvalid = true)
     {
         $checkInvalid = 0;
-        $source = preg_replace('/\<script([^\>]*)\>(.*)\<\/script\>/isU', '', $source, -1, $checkInvalid);
+        $source = preg_replace('/\<\s*s\s*c\s*r\s*i\s*p\s*t([^\>]*)\>(.*)\<\s*\/\s*s\s*c\s*r\s*i\s*p\s*t\s*\>/isU', '', $source, -1, $checkInvalid);
         if ($checkInvalid > 0) {
             $isvalid = false;
         }
@@ -936,7 +941,7 @@ private function filterTags($source, &$isvalid = true)
         }
 
         $preTag .= $postTag;
-        while (preg_match('/\<script([^\>]*)\>(.*)\<\/script\>/isU', $preTag)) {
+        while (preg_match('/\<\s*s\s*c\s*r\s*i\s*p\s*t([^\>]*)\>(.*)\<\s*\/\s*s\s*c\s*r\s*i\s*p\s*t\>/isU', $preTag)) {
             $preTag = preg_replace('/\<script([^\>]*)\>(.*)\<\/script\>/isU', '', $preTag);
         }
         $preTag = str_replace(["'", '"', '<', '>'], ['&#039;', '&quot;', '&lt;', '&gt;'], $preTag);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x45f-j34v-75xmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-3975ghsaADVISORY
github.com/nukeviet/nukeviet/commit/0b3197fad950bb3383e83039a8ee4c9509b3ce02ghsaWEB
vuldb.comghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000