Platform
php
Component
facturascripts
Fixed in
2022.06
CVE-2022-1514 is a stored Cross-Site Scripting (XSS) vulnerability discovered in the facturascripts plugin, specifically within its upload plugin functionality. This vulnerability allows attackers to inject malicious code via specially crafted zip files. Successful exploitation can lead to data theft, session hijacking, and potentially malware installation on user machines. The vulnerability affects versions of facturascripts prior to 2022.06, and a patch is available.
The impact of CVE-2022-1514 is significant due to the ease of exploitation and the potential consequences. An attacker can upload a malicious zip file containing JavaScript code through the plugin's upload functionality. When a user interacts with the uploaded file, the injected script executes in their browser context. This allows the attacker to steal session cookies, impersonate the user, and perform actions on their behalf. The attacker could also inject code to redirect users to phishing sites, deface the website, or install malware. The blast radius extends to all users who interact with the vulnerable plugin, making it a high-priority concern.
CVE-2022-1514 was publicly disclosed on April 28, 2022. While no active exploitation campaigns have been definitively linked to this specific CVE, the ease of exploitation and the potential impact make it a likely target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the XSS nature of the vulnerability.
Exploit Status
EPSS
0.40% (60% percentile)
CVSS Vector
The primary mitigation for CVE-2022-1514 is to upgrade facturascripts to version 2022.06 or later, which contains the fix. If an immediate upgrade is not possible, consider temporarily disabling the upload plugin functionality to prevent new malicious uploads. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting file upload endpoints can provide an additional layer of protection. Review existing uploaded files for suspicious content and remove any potentially malicious files. After upgrading, confirm the vulnerability is resolved by attempting to upload a test zip file containing a simple JavaScript alert and verifying that the alert does not execute.
Actualice facturascripts a la versión 2022.06 o posterior. Esta versión corrige la vulnerabilidad XSS almacenada en la funcionalidad de carga de plugins en formato zip.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-1514 is a critical stored Cross-Site Scripting (XSS) vulnerability in the facturascripts plugin, allowing attackers to inject malicious code via uploaded zip files.
You are affected if you are using a version of facturascripts prior to 2022.06. Check your plugin version and upgrade immediately if vulnerable.
Upgrade facturascripts to version 2022.06 or later to resolve the vulnerability. Consider disabling the upload plugin temporarily if an upgrade is not immediately possible.
While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the facturascripts project's GitHub repository for updates and advisories related to CVE-2022-1514: [https://github.com/neorazorx/facturascripts](https://github.com/neorazorx/facturascripts)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.