CVE-2022-44235

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Beijing Zed-3 Technologies Co.,Ltd VoIP simplicity ASG version 8.5.0.17807 (20181130-16:12). The flaw resides in the /login.php?pMessage= parameter, where user-supplied input is not properly sanitized before being reflected back to the browser. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's session.

Exploitation

An attacker can craft a malicious URL or input containing a payload such as ` or . The attacker must entice a logged-in user to visit the crafted /login.php?pMessage=` page. No authentication is required to trigger the payload; any user who accesses the manipulated URL will have the script executed in their browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, redirection to malicious sites, defacement, or other client-side attacks. The attacker can potentially hijack authenticated sessions and obtain sensitive information exposed to the victim's page.

Mitigation

As of the publication date (2022-12-15), no official patch or fixed version has been released by Beijing Zed-3 Technologies. Users should apply input validation and output encoding on the server side for the pMessage parameter. Restricting access to the administrative interface and ensuring proper Content Security Policy (CSP) headers can reduce the risk. The vulnerability is publicly disclosed and a proof-of-concept exists [1].