CVE-2022-40348

Vulnerability

Intern Record System version 1.0 contains a stored cross-site scripting (XSS) vulnerability in the /intern/controller.php endpoint. The application fails to sanitize user-supplied input in the name and email parameters before storing it in the database. When an administrator views the intern records on /intern/view.php, the stored payload executes in the browser. The vulnerable version is 1.0, as provided by code-projects.org [1][2].

Exploitation

An unauthenticated attacker can send a POST request to /intern/controller.php with malicious JavaScript in the name or email parameter. No authentication is required because the controller endpoint is publicly accessible. The payload is stored and later triggered when an admin visits the /intern/view.php page. The attacker does not need any special privileges; the only requirement is that the admin views the affected records. Example payloads include ` and ` [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin's browser. This can lead to theft of session cookies, defacement, or further attacks against the admin session. The impact is limited to the browser of the viewing user, but because the admin has elevated privileges, cookie theft could lead to account takeover [1].

Mitigation

As of the publication date (2023-02-18), no official patch has been released. The vendor (code-projects.org) has not provided an update. Users should implement input validation and output encoding for the name and email fields, or consider disabling the vulnerable functionality until a fix is available. The software is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].