CVE-2022-37250 is a medium-severity vulnerability affecting Craft CMS version 4.2.0.1. The issue is a Stored Cross-Site Scripting (XSS) vulnerability located in the /admin/myaccount endpoint. Stored XSS vulnerabilities occur when malicious input is saved by the application and later rendered in a web page without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in the context of other users’ browsers. In this case, the vulnerability requires an attacker with at least some level of privileges (PR:L - privileges required: low) and user interaction (UI:R - user interaction required) to exploit. The CVSS vector indicates the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L, I:L) but does not affect availability (A:N). No known exploits are currently reported in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input during web page generation, a common cause of XSS. Since the vulnerability is in the administrative interface (/admin/myaccount), exploitation could allow attackers to hijack admin sessions, steal sensitive information, or perform actions on behalf of administrators if they can trick an admin user into triggering the malicious payload. The requirement for some privileges and user interaction limits the ease of exploitation but does not eliminate risk, especially in environments where multiple users have admin or editor roles. Craft CMS is a popular content management system used by organizations to manage websites and digital content, so this vulnerability could impact the integrity and confidentiality of managed content and administrative controls.

For European organizations using Craft CMS 4.2.0.1, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative accounts and managed content. Exploitation could lead to unauthorized actions performed with admin privileges, including content manipulation, data theft, or further pivoting within the network. Given the administrative nature of the affected endpoint, successful exploitation could compromise the entire CMS environment, potentially impacting website availability indirectly through malicious content injection or defacement. The requirement for some privileges and user interaction reduces the likelihood of mass exploitation but does not eliminate targeted attacks, especially against organizations with multiple CMS users or less stringent internal security controls. European organizations in sectors such as media, e-commerce, government, and education that rely on Craft CMS for public-facing websites or internal portals could face reputational damage, data breaches, or regulatory compliance issues (e.g., GDPR) if this vulnerability is exploited. The absence of known exploits in the wild suggests that immediate risk is moderate, but the vulnerability should be addressed promptly to prevent future exploitation.

1. Upgrade Craft CMS to a version where this vulnerability is patched. Since no patch links are provided, organizations should consult the official Craft CMS security advisories or vendor support channels for updates. 2. Implement strict input validation and output encoding on all user-supplied data, especially in administrative interfaces, to prevent injection of malicious scripts. 3. Restrict administrative access to trusted users only and enforce the principle of least privilege to minimize the number of users who can exploit this vulnerability. 4. Employ Content Security Policy (CSP) headers to reduce the impact of XSS attacks by restricting the sources from which scripts can be loaded and executed. 5. Monitor administrative account activities and web server logs for unusual behavior that could indicate attempted exploitation. 6. Educate administrative users about phishing and social engineering risks, as user interaction is required for exploitation. 7. Consider implementing multi-factor authentication (MFA) for admin accounts to mitigate the risk of session hijacking or credential theft resulting from XSS exploitation.