Skip to main content

CVE-2022-43342: n/a in n/a

Medium
VulnerabilityCVE-2022-43342cvecve-2022-43342
Published: Mon Nov 14 2022 (11/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

A stored cross-site scripting (XSS) vulnerability in the Add function of Eramba GRC Software c2.8.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the KPI Title text field.

AI-Powered Analysis

AILast updated: 06/25/2025, 08:01:53 UTC

Technical Analysis

CVE-2022-43342 is a stored cross-site scripting (XSS) vulnerability identified in the Add function of Eramba GRC (Governance, Risk, and Compliance) Software version c2.8.1. The vulnerability arises when an attacker injects a crafted payload into the KPI Title text field, which is then stored and rendered without proper sanitization or encoding. This allows the execution of arbitrary web scripts or HTML in the context of the victim's browser when they view the affected page. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS 3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). Exploitation requires an authenticated user with privileges to add KPI entries and some user interaction to trigger the payload. No public exploits are known in the wild, and no official patches or vendor details are provided in the source information. The vulnerability could be leveraged to steal session tokens, perform actions on behalf of users, or conduct phishing attacks within the application context, potentially leading to further compromise of sensitive governance and compliance data managed by Eramba.

Potential Impact

For European organizations using Eramba GRC software, this vulnerability poses a risk to the confidentiality and integrity of sensitive governance, risk, and compliance data. An attacker exploiting this flaw could execute malicious scripts in the browsers of users with access to the KPI module, potentially leading to session hijacking, unauthorized actions, or data leakage. Given that GRC software is often used by compliance officers, auditors, and risk managers, compromise could undermine regulatory compliance efforts and expose organizations to legal and financial risks. The scope of impact is limited to organizations deploying Eramba, but within those environments, the risk is significant due to the privileged nature of the users involved. The requirement for authenticated access and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially insider threats or compromised user accounts. European organizations in regulated sectors such as finance, healthcare, and critical infrastructure, where GRC tools are integral, may face increased risk of compliance violations or reputational damage if this vulnerability is exploited.

Mitigation Recommendations

1. Immediate mitigation should include restricting access to the KPI Add function to only trusted and necessary users, minimizing the attack surface. 2. Implement strict input validation and output encoding on the KPI Title field to neutralize malicious scripts, ideally by applying a web application firewall (WAF) rule targeting typical XSS payload patterns in this input. 3. Encourage users to follow the principle of least privilege, ensuring only authorized personnel can add or modify KPIs. 4. Monitor application logs for unusual activity related to KPI entries or unexpected script execution errors. 5. If possible, isolate the GRC application environment and enforce Content Security Policy (CSP) headers to limit the impact of any injected scripts. 6. Engage with the Eramba community or vendor for official patches or updates addressing this vulnerability. 7. Conduct user awareness training to recognize phishing or suspicious behavior that might exploit this vulnerability. 8. Regularly review and update authentication mechanisms to prevent account compromise that could facilitate exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-10-17T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983bc4522896dcbedeb5

Added to database: 5/21/2025, 9:09:15 AM

Last enriched: 6/25/2025, 8:01:53 AM

Last updated: 8/11/2025, 12:33:24 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats