Skip to main content

CVE-2022-41472: n/a in n/a

Medium
VulnerabilityCVE-2022-41472cvecve-2022-41472
Published: Mon Oct 17 2022 (10/17/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

74cmsSE v3.12.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /apiadmin/notice/add. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.

AI-Powered Analysis

AILast updated: 07/06/2025, 13:11:00 UTC

Technical Analysis

CVE-2022-41472 is a cross-site scripting (XSS) vulnerability identified in the 74cmsSE software version 3.12.0, specifically within the /apiadmin/notice/add component. This vulnerability arises due to insufficient input sanitization or output encoding of the Title field, allowing an attacker to inject crafted malicious scripts or HTML code. When a victim user accesses the affected functionality or page, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires the attacker to have low privileges (PR:L) and user interaction (UI:R), such as tricking an authenticated user into visiting a malicious link or submitting crafted input. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), partial privileges required, user interaction, and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No known public exploits have been reported, and no patches are currently linked, indicating that mitigation may rely on configuration or input validation improvements by administrators or developers.

Potential Impact

For European organizations, this vulnerability poses a moderate risk primarily to web applications using 74cmsSE v3.12.0 or similar components. Successful exploitation could lead to unauthorized disclosure of sensitive information, session hijacking, or manipulation of web content, undermining user trust and potentially leading to further attacks such as phishing or privilege escalation. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, or government, may face compliance risks if user data confidentiality is compromised. Additionally, the scope change in the CVSS vector suggests that the vulnerability could affect multiple components or users beyond the initial target, increasing potential damage. However, the requirement for user interaction and partial privileges limits the ease of exploitation, somewhat reducing the overall threat level. Nonetheless, attackers targeting European entities with web-facing 74cmsSE installations could leverage this vulnerability for targeted attacks or lateral movement within networks.

Mitigation Recommendations

To mitigate CVE-2022-41472, European organizations should first identify any deployments of 74cmsSE v3.12.0 or related components. Since no official patches are currently linked, immediate mitigation should focus on implementing strict input validation and output encoding on the Title field within the /apiadmin/notice/add endpoint to neutralize malicious scripts. Web application firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting this endpoint. Additionally, enforcing the principle of least privilege to limit user permissions reduces the risk posed by partial privilege requirements. Organizations should also educate users and administrators about the risks of interacting with untrusted inputs and monitor logs for suspicious activity related to this API endpoint. Regular security assessments and code reviews focusing on injection vulnerabilities will help prevent similar issues. Finally, organizations should stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-09-26T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fb1484d88663aec82d

Added to database: 5/20/2025, 6:59:07 PM

Last enriched: 7/6/2025, 1:11:00 PM

Last updated: 7/30/2025, 10:48:24 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats