CVE-2022-45722

## Vulnerability ezEIP v5.3.0(0649) contains a cross-site scripting (XSS) vulnerability. The official description and reference [1] confirm the issue as context-dependent stored XSS, where user-controllable input is not properly sanitized before being stored and later rendered in the application. The exact injection point is not further detailed in the available source, but the vulnerability affects the web application serving the ezEIP platform [1].

Exploitation

An attacker requires the ability to submit input that is stored and later displayed to other users. The attack is context-dependent, meaning it may require user interaction such as clicking a link or viewing a maliciously crafted page. No authentication level is explicitly stated, but typical XSS exploitation assumes the attacker can reach the vulnerable input field(s). The exact sequence of steps is not provided in the reference [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies, tokens, or page contents. The compromise scope is within the browser and the affected web application, not the underlying server [1].

Mitigation

The vendor website is http://gzwhir.com/, but no official patch or advisory has been publicly disclosed for this version as of the publication date. Users should upgrade to a version newer than v5.3.0(0649) if available, or apply input sanitization and output encoding as a workaround. No listing in CISA's KEV has been reported [1].