CVE-2022-41472

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in 74cmsSE v3.12.0 within the /apiadmin/notice/add component. The Title field is insufficiently sanitized; only angle brackets are escaped, leaving the application vulnerable to AngularJS sandbox escape payloads. This allows an attacker to inject arbitrary web scripts or HTML that are stored and later executed when the notice is viewed [1].

Exploitation

An attacker must have administrative access to the backend of 74cmsSE. The exploitation steps are: log in as an admin, navigate to the notice addition page, insert a crafted payload into the Title field (e.g., {{$on.constructor('alert(1)')()}}), and save the notice. When any user (including other admins) clicks on the notice title, the stored payload executes in the context of the victim's browser [1].

Impact

Successful exploitation allows arbitrary JavaScript execution within the admin panel's security context. This can lead to session hijacking, defacement, data theft, or further compromise of the application. The attacker gains the ability to perform actions as the victim admin user, potentially escalating privileges within the system [1].

Mitigation

No official patch has been released for this vulnerability as of the publication date. The vendor should implement proper input validation and output encoding for the Title field, escaping all relevant characters rather than just angle brackets. As a workaround, restrict access to the admin panel to trusted users only. The affected version is 74cmsSE v3.12.0 [1].