Plateforme
php
Composant
facturascripts
Corrigé dans
2022.07
CVE-2022-1571 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in the facturascripts application prior to version 2022.07. This flaw allows attackers to inject arbitrary JavaScript code into the application, potentially compromising user accounts and sensitive data. The vulnerability resides within the 'Create Subaccount' functionality and has been assigned a CVSS score of 9.9 (CRITICAL). A patch was released in version 2022.07.
The impact of CVE-2022-1571 is significant due to the ease of exploitation and the potential for widespread compromise. An attacker can leverage this XSS vulnerability to execute malicious JavaScript code within the context of a victim's browser session. This allows them to steal session cookies, effectively impersonating the user and gaining unauthorized access to their account. Furthermore, the injected script can perform HTTP requests to other domains, potentially exfiltrating sensitive data or launching further attacks against the victim's network. The 'same origin' restriction limits the scope of actions within the application itself, but the ability to steal cookies and perform external requests represents a serious security risk.
CVE-2022-1571 was publicly disclosed on May 4, 2022. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation make it a likely target for opportunistic attackers. No proof-of-concept code has been publicly released, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using facturascripts versions prior to 2022.07 are at risk, particularly those with publicly accessible instances of the application. Shared hosting environments where multiple users share the same facturascripts installation are especially vulnerable, as a compromise of one user's account could potentially lead to the compromise of others.
• php / web:
curl -s -X POST "http://<target>/create_subaccount.php?username=<script>alert(1)</script>" | grep -i alert• generic web:
curl -s -X POST "http://<target>/create_subaccount.php?username=<script>alert(1)</script>" | grep -i alertdisclosure
Statut de l'Exploit
EPSS
0.32% (percentile 55%)
Vecteur CVSS
The primary mitigation for CVE-2022-1571 is to immediately upgrade facturascripts to version 2022.07 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output encoding on the 'Create Subaccount' page. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging threats. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the 'Create Subaccount' field and confirming that it is properly sanitized.
Actualice facturascripts a la versión 2022.07 o posterior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) reflejado en la creación de subcuentas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2022-1571 is a critical XSS vulnerability in facturascripts versions before 2022.07, allowing attackers to inject malicious JavaScript code.
You are affected if you are using facturascripts versions prior to 2022.07. Upgrade immediately to mitigate the risk.
Upgrade facturascripts to version 2022.07 or later. Consider temporary workarounds like input validation and WAF rules if immediate upgrade is not possible.
While no active campaigns are confirmed, the CRITICAL severity and ease of exploitation make it a likely target for attackers.
Refer to the facturascripts GitHub repository (neorazorx/facturascripts) for updates and advisories related to CVE-2022-1571.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.