免费扫描
CRITICALCVE-2022-1457CVSS 9

Store XSS in title parameter executing at EditUser Page & EditProducto page in neorazorx/facturascripts

翻译中…

平台

php

组件

facturascripts

修复版本

2022.04

AI Confidence: highNVDEPSS 0.4%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2022-1457 is a critical stored Cross-Site Scripting (XSS) vulnerability affecting facturascripts versions up to and including 2022.04. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to data theft or malware installation. A patch was released in version 2022.04, addressing this security flaw.

影响与攻击场景翻译中…

The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into the EditUser and EditProducto pages of facturascripts. This malicious code can then be executed in the context of a user's browser when they visit the affected page. This allows the attacker to steal sensitive information, such as session cookies, and impersonate legitimate users. Furthermore, the attacker could redirect users to malicious websites, deface the application, or even install malware on the user's machine. The potential for data exfiltration and account takeover makes this a high-priority vulnerability to address.

利用背景翻译中…

CVE-2022-1457 was publicly disclosed on April 25, 2022. There are currently no known active campaigns exploiting this vulnerability, but the ease of exploitation and the potential impact suggest it remains a significant risk. No public proof-of-concept (POC) code has been widely published, but the vulnerability is relatively straightforward to exploit, increasing the likelihood of future exploitation. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.

哪些人处于风险中翻译中…

Organizations using facturascripts for invoice generation and management are at risk, particularly those running versions prior to 2022.04. Shared hosting environments where multiple users share the same facturascripts installation are especially vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.

检测步骤翻译中…

• generic web: Use curl to test the EditUser and EditProducto endpoints with a simple XSS payload (e.g., <script>alert(1)</script>) in the 'title' parameter. Examine the response for signs of script execution.

curl 'http://your-facturascripts-instance/edit_user.php?title=<script>alert(1)</script>'

• generic web: Review access logs for requests containing suspicious characters or patterns in the 'title' parameter, such as <script> or javascript:. • php: Examine the source code of edituser.php and editproducto.php for the handling of the 'title' parameter. Look for missing or inadequate input validation and output encoding.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.37% (59% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H9.0CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityHigh利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件facturascripts
供应商neorazorx
影响范围修复版本
unspecified – 2022.042022.04

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2022-1457 is to immediately upgrade facturascripts to version 2022.04 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'title' parameter in the EditUser and EditProducto pages. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious activity, particularly requests containing unusual characters in the 'title' parameter. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'title' field and verifying that the script is not executed.

修复方法翻译中…

Actualice facturascripts a la versión 2022.04 o posterior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada en los parámetros de título de las páginas EditUser y EditProducto. La actualización eliminará el riesgo de que un atacante inyecte código malicioso en su aplicación.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2022-1457 — XSS in facturascripts?

CVE-2022-1457 is a critical stored XSS vulnerability in facturascripts versions up to 2022.04, allowing attackers to inject malicious scripts via the 'title' parameter.

Am I affected by CVE-2022-1457 in facturascripts?

You are affected if you are running facturascripts versions prior to 2022.04. Upgrade immediately to mitigate the risk.

How do I fix CVE-2022-1457 in facturascripts?

Upgrade facturascripts to version 2022.04 or later. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.

Is CVE-2022-1457 being actively exploited?

While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a potential target.

Where can I find the official facturascripts advisory for CVE-2022-1457?

Refer to the facturascripts GitHub repository for updates and advisories: https://github.com/neorazorx/facturascripts

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE