CVE-2022-41994 is a stored cross-site scripting (XSS) vulnerability identified in baserCMS, an open-source content management system widely used for website management. The vulnerability exists in the Permission Settings functionality of baserCMS versions prior to 4.7.2. Specifically, it allows a remote attacker who has authenticated administrative privileges to inject arbitrary malicious scripts into the application. This injection occurs because the input fields in the permission settings do not properly sanitize or encode user-supplied data, leading to stored XSS. When other users or administrators view the affected pages, the malicious script executes in their browsers within the context of the vulnerable site. The CVSS 3.1 base score for this vulnerability is 4.8 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), high privileges required (PR:H), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The vulnerability requires an authenticated user with administrative rights to exploit, limiting the attack surface to insiders or compromised admin accounts. No known exploits in the wild have been reported to date. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web security weakness. The issue was reserved on 2022-10-22 and published on 2022-12-07. While no official patch links are provided in the data, upgrading to baserCMS version 4.7.2 or later is implied as the remediation step. The vulnerability is relevant to organizations using baserCMS for website management, especially those with multiple administrators or users with elevated privileges.

For European organizations using baserCMS, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of administrative sessions and data. An attacker with administrative access could inject malicious scripts that execute in the browsers of other administrators or users with elevated privileges, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's session. This could compromise sensitive website management functions or lead to defacement or data manipulation. However, since exploitation requires administrative privileges and user interaction, the risk of external attackers exploiting this vulnerability remotely without prior access is limited. The impact on availability is negligible. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if such an attack leads to data leakage or unauthorized changes. Additionally, organizations with multiple administrators or complex permission settings are more exposed. Given the widespread use of baserCMS in Japan and some European countries for small to medium-sized websites, the vulnerability could affect a range of public-facing websites, potentially impacting brand reputation and trust if exploited.

1. Upgrade baserCMS installations to version 4.7.2 or later, where this vulnerability has been addressed. 2. Implement strict input validation and output encoding on all user-supplied data in permission settings and other administrative interfaces to prevent script injection. 3. Limit the number of users with administrative privileges to the minimum necessary and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of compromised admin accounts. 4. Monitor administrative actions and logs for unusual behavior that could indicate exploitation attempts. 5. Educate administrators about the risks of XSS and the importance of cautious interaction with administrative interfaces, especially when clicking links or opening content generated by other admins. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the baserCMS admin interface. 7. Regularly audit and review permission settings to detect and remove any suspicious or unauthorized entries that could be used to inject malicious scripts. 8. If upgrading immediately is not feasible, consider isolating the baserCMS admin interface behind VPN or IP whitelisting to limit access to trusted networks only.