CVE-2022-50940

Vulnerability

Overview

Knap Advanced PHP Login version 3.1.3 contains a persistent cross-site scripting (XSS) vulnerability in the name parameter. The application fails to properly sanitize user-supplied input before storing it, allowing attackers to inject arbitrary HTML and JavaScript code. This flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [2].

Exploitation and

Attack Surface

An attacker with the ability to supply a crafted name parameter can inject malicious script code. The injected payload is stored and later executed when an administrator views the users or activity log backend modules. The attack requires low privileges (PR:L) and user interaction (the attacker must have an account that can modify the name field) and user interaction (UI:P) from an administrator who visits the affected pages. The network attack vector is remote (AV:N) [2].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the administrator's session. This can lead to session hijacking, persistent phishing attacks, and unauthorized actions performed on behalf of the administrator. The vulnerability impacts the confidentiality and integrity of the application at a low level, with no impact on availability [2].

Mitigation

As of the publication date, no patch has been released for this vulnerability. Users of Knap Advanced PHP Login 3.1.3 and earlier versions are advised to apply input validation and output encoding for the name parameter, or restrict access to the backend modules until a vendor-supplied fix becomes available [2].