CVE-2022-44070

Vulnerability

Description Zenario CMS version 9.3.57186 contains a stored cross-site scripting (XSS) vulnerability in the News articles functionality [1]. The root cause is insufficient sanitization of user-supplied input in the Summary and Main Content fields when creating or editing news articles. This allows an authenticated attacker to inject arbitrary HTML and JavaScript code that is stored on the server [2].

Exploitation

To exploit this vulnerability, an attacker must have a valid account with access to the News section. The attacker can inject a payload, such as an EMBED element with a base64-encoded SVG containing a script, into the Summary or Main Content fields. Upon saving, the payload is stored and executed in the browser of any user viewing the affected news article [2]. No special network position is required beyond standard web access.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the CMS. The attack is particularly dangerous because it affects all users who view the malicious article, including administrators [1][2].

Mitigation

As of publication, no official patch has been released by Zenario. The vulnerability was reported via GitHub issues [2]. Until a fix is available, administrators should restrict access to the News article editor to trusted users and consider disabling the feature if not needed.