CVE-2022-44069

Vulnerability

Details

CVE-2022-44069 is a stored cross-site scripting (XSS) vulnerability found in Zenario CMS version 9.3.57186. The flaw resides in the Nest library module, where the application fails to properly sanitize user-supplied input before storing it. An attacker can inject malicious JavaScript code into the plugin description field, which is later executed when other users view the affected content [1].

Exploitation

To exploit this vulnerability, an attacker must have an authenticated account with access to the admin panel. The attack vector involves navigating to Menu > Modules > Nest library, editing a Nest plugin, and injecting a payload into the description field. The payload is then stored and executed within the context of the user's session when the plugin is rendered, as demonstrated in a proof-of-concept on a security researcher's GitHub issue tracker [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the compromised plugin. This can lead to session hijacking, defacement, or theft of sensitive information within the context of the affected Zenario CMS instance. The XSS is persistent (stored), meaning the malicious code remains active until manually removed.

Mitigation

As of the publication date, it is recommended to apply any patches provided by the Zenario CMS project or upgrade to a fixed version. No official fix was confirmed at the time of disclosure, and administrators should review user input handling for the Nest library module. The vulnerability was filed as a public issue on GitHub [2], providing details for defenders to assess and mitigate the risk.