CVE-2022-41431

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in xzs v3.8.0 within the /admin/question/edit component [1]. The Title text field does not properly sanitize user input, allowing an attacker to inject arbitrary HTML or JavaScript. This issue affects the online examination system as hosted in the mindskip/xzs repository [1].

Exploitation

An attacker must have access to the admin panel, typically requiring authentication, and navigate to the question editing interface. By submitting a crafted payload in the Title field, the malicious script is stored and subsequently executed when an administrator views the affected question. No additional user interaction beyond viewing the page is required for the payload to trigger.

Impact

Successful exploitation leads to arbitrary web script execution in the context of the admin's browser session. This can result in session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim administrator, compromising the confidentiality and integrity of the application.

Mitigation

As of the publication date (2022-10-17), no official patch has been released for xzs v3.8.0 [1]. Administrators should implement input validation and output encoding for the Title field, restrict access to the admin panel, and consider using a web application firewall (WAF) to detect XSS attempts. Upgrading to a newer version, if available, is recommended.