CVE-2022-44071

Vulnerability

The vulnerability is a stored Cross-Site Scripting (XSS) in Zenario CMS version 9.3.57186, found in the user profile editing functionality. The application fails to properly sanitize the 'First name' and 'Last name' fields, allowing an authenticated user to inject arbitrary HTML and JavaScript code. The injected payload is stored on the server and executed when an administrator views the site diagnostics page [1][2].

Exploitation

To exploit this vulnerability, an attacker must first have a valid user account on the Zenario CMS instance. The attacker logs in, navigates to their profile, and enters a malicious script into the First name or Last name field. After saving, the payload is stored. When an administrator accesses the 'View site diagnostics' option from the tab bar, the injected script executes in the context of the admin session [2]. No special network position is required beyond access to the CMS interface.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an administrator viewing the diagnostics page. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the admin page. Since the attack is stored, it can persist and affect multiple administrators who view the diagnostics.

Mitigation

As of the publication date, no official patch has been released by the vendor. The vulnerability was reported via a GitHub issue. Users are advised to sanitize user input in profile fields and limit access to trusted users until a fix is applied [1][2].