CVE-2022-45008 is a stored cross-site scripting (XSS) vulnerability identified in the Online Leave Management System version 1.0. The vulnerability exists in the administrative component located at /leave_system/admin/?page=maintenance/department, specifically within the 'Create New' module's Name field. An attacker can inject malicious scripts or HTML payloads into this field, which are then stored persistently on the server. When an authorized user accesses the affected page, the malicious script executes in their browser context. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. The vulnerability requires the attacker to have high privileges (PR:H) to inject the payload and also requires user interaction (UI:R) for the malicious script to execute. The CVSS v3.1 base score is 4.8, indicating a medium severity level. The attack vector is network-based (AV:N), and the scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. No known public exploits have been reported, and no patches or vendor information are currently available. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using the Online Leave Management System v1.0, this vulnerability poses a risk primarily to administrative users who manage departmental data. Successful exploitation could allow attackers to execute arbitrary scripts in the context of an administrator's session, potentially leading to theft of session tokens, unauthorized changes to system data, or phishing attacks targeting internal users. While the impact on system availability is negligible, the compromise of administrative credentials or session data could facilitate further attacks within the organization's network. Given that the vulnerability requires high privileges to inject payloads and user interaction for execution, the risk is somewhat mitigated but still significant in environments where administrative access controls are weak or where social engineering could be used to lure administrators into triggering the payload. The lack of patches and vendor support increases the risk of exploitation over time. Additionally, if the system integrates with other internal HR or payroll systems, the integrity of sensitive employee data could be at risk, potentially leading to compliance issues under GDPR and other European data protection regulations.

1. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of unauthorized payload injection. 2. Implement rigorous input validation and output encoding on the Name field and all user-supplied data to neutralize malicious scripts before storage and rendering. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4. Conduct regular security audits and penetration testing focused on web application vulnerabilities, especially stored XSS. 5. Educate administrators about the risks of clicking on suspicious links or interacting with untrusted content within the admin interface. 6. If possible, isolate the leave management system from critical internal networks to contain potential exploitation impact. 7. Monitor logs for unusual administrative activity or unexpected input submissions to detect attempted exploitation. 8. Since no official patches are available, consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable endpoint. 9. Plan for migration or replacement of the vulnerable system with a more secure alternative that follows secure coding practices and receives regular security updates.