CVE-2022-44073

Vulnerability

Overview

Zenario CMS version 9.3.57186 is vulnerable to stored cross-site scripting (XSS) through the SVG file upload functionality in the Users & Contacts section [1]. This issue represents a bypass of a previous fix for CVE-2021-41952, which addressed a similar XSS vector in version 9.0.54156 [2]. The root cause is insufficient sanitization of SVG files, allowing an attacker to inject malicious JavaScript code within the SVG markup.

Exploitation

An authenticated attacker with privileges to create or edit users can upload a crafted SVG file as the user's profile image [2]. The SVG contains embedded JavaScript payloads (e.g., using `` tags or event handlers). When other users view the affected user's profile or the uploaded image, the malicious script executes in their browser context. No special network position is required beyond standard web access to the CMS.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of other authenticated users, including administrators. This can lead to session hijacking, theft of sensitive data, defacement, or further compromise of the CMS instance. The stored nature of the XSS means the payload persists until manually removed.

Mitigation

As of the publication date, no official patch has been released for this bypass [2]. Administrators should restrict SVG uploads, implement strict content-type validation, and sanitize SVG files to remove executable content. Disabling SVG uploads entirely or using a whitelist of allowed file types is recommended until a vendor fix is available.