CVE-2022-39301 is a security vulnerability classified as a stored cross-site scripting (XSS) flaw affecting sra-admin, a background rights management system designed to separate front-end and back-end operations. The vulnerability exists in sra-admin versions prior to 1.1.2, specifically version 1.1.1 and earlier. The issue arises from improper neutralization of script-related HTML tags (CWE-80) combined with unrestricted upload of files with dangerous types (CWE-434). An authenticated attacker who has logged into the sra-admin backend can exploit this vulnerability by uploading a crafted HTML file containing malicious JavaScript code via the "Personal Center" section under "Profile Picture Upload." Because the system does not properly sanitize or validate the uploaded content, the malicious script is stored and later executed in the context of other users who view the affected profile or interface. This can lead to theft of personal information, session hijacking, or other malicious actions performed with the victim user's privileges. The vulnerability has been addressed in version 1.1.2 of sra-admin, but no known workarounds exist for affected versions. No known exploits have been reported in the wild as of the published date, but the nature of stored XSS vulnerabilities means that exploitation can be impactful if attackers gain access to the system. The vulnerability requires authentication to access the upload functionality, limiting exposure to users with some level of access to the backend system. However, once exploited, the impact can extend to other authenticated users or administrators who interact with the compromised content. The vulnerability affects confidentiality and integrity primarily, with potential secondary impacts on availability if further exploitation leads to denial-of-service conditions or administrative disruption.

For European organizations using sra-admin versions prior to 1.1.2, this vulnerability poses a moderate risk. Since sra-admin is a rights management system, it is likely deployed in environments where sensitive access controls and user permissions are managed, such as corporate intranets, government agencies, or managed service providers. Exploitation could lead to unauthorized disclosure of personal or organizational information, session hijacking, and potential privilege escalation if attackers leverage stolen credentials or session tokens. The requirement for authentication limits the attack surface to insiders or compromised accounts, but insider threats or credential theft remain significant risks. The impact on confidentiality is notable, as personal information and potentially sensitive administrative data can be exposed. Integrity may also be compromised if attackers inject malicious scripts that alter user interface behavior or data presentation. Availability impact is less direct but could occur if attackers disrupt administrative functions or cause system instability through malicious payloads. European organizations with strict data protection regulations (e.g., GDPR) may face compliance and reputational risks if such vulnerabilities lead to data breaches. The lack of known exploits in the wild reduces immediate urgency but does not eliminate risk, especially in targeted attacks against high-value organizations.

1. Immediate upgrade to sra-admin version 1.1.2 or later is the primary and most effective mitigation to eliminate the vulnerability. 2. Implement strict access controls and monitoring on the sra-admin backend to limit the number of users with upload privileges, reducing the risk of insider exploitation. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious HTML or script content uploads, particularly targeting the profile picture upload functionality. 4. Conduct regular security audits and code reviews focusing on input validation and file upload handling to prevent similar vulnerabilities. 5. Enforce multi-factor authentication (MFA) for backend access to reduce the risk of compromised credentials being used to exploit this vulnerability. 6. Monitor logs for unusual upload activity or access patterns that could indicate exploitation attempts. 7. Educate administrators and users about the risks of uploading untrusted content and encourage reporting of suspicious behavior. 8. If immediate patching is not possible, consider isolating the sra-admin system within a segmented network zone with limited access to reduce potential lateral movement from exploitation.