CVE-2022-42991 is a stored cross-site scripting (XSS) vulnerability identified in Simple Online Public Access Catalog (OPAC) version 1.0. This vulnerability arises from insufficient input sanitization in the 'Edit Account Full Name' field, allowing an attacker to inject malicious web scripts or HTML code. When a victim accesses the affected page, the injected payload executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires the attacker to have some level of privileges (PR:L - low privileges) and user interaction (UI:R - requires the victim to interact with the malicious content). The CVSS 3.1 base score is 5.4 (medium severity), reflecting a network attack vector with low attack complexity but requiring privileges and user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked, indicating that mitigation may rely on configuration or manual code fixes. The vulnerability is categorized under CWE-79, a common web application security weakness related to improper neutralization of input leading to XSS.

For European organizations using Simple Online Public Access Catalog v1.0, this vulnerability could lead to unauthorized execution of scripts in users' browsers, potentially compromising user credentials or session tokens. This could facilitate further attacks such as privilege escalation or unauthorized data access within the library or information management systems. Although the impact on availability is negligible, the confidentiality and integrity of user data and interactions could be compromised. Given that the vulnerability requires low privileges and user interaction, insider threats or compromised accounts could be leveraged to inject malicious payloads. The risk is particularly relevant for public institutions, universities, and libraries in Europe that rely on this software for catalog access, as exploitation could damage user trust and lead to data privacy issues under GDPR regulations.

European organizations should immediately review and restrict user input fields, especially the 'Edit Account Full Name' field, to prevent injection of HTML or script content. Implement strict input validation and output encoding on all user-supplied data to neutralize potentially malicious code. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Since no official patches are currently available, consider disabling or restricting the vulnerable functionality until a fix is released. Conduct regular security audits and penetration testing focused on XSS vulnerabilities. Educate users to recognize suspicious behavior and avoid interacting with untrusted links or content. Additionally, monitor logs for unusual activity that could indicate exploitation attempts. If possible, upgrade to a newer, patched version of the software once available.