CVE-2022-42187 is a Cross-Site Scripting (XSS) vulnerability identified in the Hustoj online judge system, specifically in the /admin/problem_judge.php component. Hustoj is an open-source online judge system used primarily in programming contest environments to automatically evaluate submitted code. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation, which allows an attacker to inject malicious scripts. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting a medium severity level. The vector details (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicate that the attack can be performed remotely over the network without privileges and with low attack complexity, but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a low degree, with no impact on availability. Specifically, an attacker could craft a malicious link or input that, when accessed or processed by an administrator in the /admin/problem_judge.php page, could execute arbitrary JavaScript in the administrator’s browser context. This could lead to theft of session tokens, unauthorized actions, or manipulation of the admin interface. No patches or known exploits in the wild are currently reported, but the vulnerability is publicly disclosed and enriched by CISA, indicating awareness by security authorities. The lack of vendor or product-specific details suggests this vulnerability is tied to a specific version of Hustoj (22.09.22), but exact affected versions are not enumerated.

For European organizations using Hustoj, particularly educational institutions, programming contest platforms, or companies running internal coding challenge systems, this vulnerability poses a risk of administrative account compromise through session hijacking or unauthorized command execution within the admin panel. The XSS vulnerability could allow attackers to manipulate problem judging configurations or access sensitive data related to submissions and users. Given the administrative nature of the affected page, the integrity of the judging process could be undermined, potentially affecting fairness and trust in competition results. Confidentiality of administrative credentials and session information is at risk, which could cascade into broader system compromise if attackers leverage stolen credentials. However, the requirement for user interaction (an admin clicking a malicious link or viewing crafted content) limits the ease of exploitation. The absence of known active exploits reduces immediate threat but does not eliminate risk, especially as attackers often weaponize disclosed vulnerabilities over time. Organizations relying on Hustoj should consider the potential reputational damage and operational disruption if the vulnerability is exploited.

1. Immediate mitigation should include restricting access to the /admin/problem_judge.php page to trusted networks and users only, minimizing exposure to potential attackers. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. 3. Sanitize and validate all user inputs rigorously on the server side, especially those rendered in the admin panel, to prevent injection of malicious scripts. 4. Educate administrators to avoid clicking on suspicious links or opening untrusted content while logged into the admin interface. 5. Monitor web server logs and application logs for unusual requests or patterns indicative of attempted XSS exploitation. 6. If possible, update to a patched version of Hustoj once available or apply community-provided patches addressing this vulnerability. 7. Employ multi-factor authentication (MFA) for admin accounts to reduce risk from session hijacking. 8. Conduct regular security assessments and penetration tests focusing on web interface vulnerabilities to detect similar issues proactively.