Skip to main content

CVE-2022-45223: n/a in n/a

Medium
VulnerabilityCVE-2022-45223cvecve-2022-45223
Published: Mon Nov 28 2022 (11/28/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.

AI-Powered Analysis

AILast updated: 06/24/2025, 21:19:32 UTC

Technical Analysis

CVE-2022-45223 is a medium-severity cross-site scripting (XSS) vulnerability identified in the Web-Based Student Clearance System version 1.0, specifically within the /Admin/add-student.php endpoint. The vulnerability arises from improper sanitization or validation of user-supplied input in the txtfullname parameter, which allows an attacker to inject arbitrary HTML or JavaScript code. When an administrator or authorized user accesses the affected page with the malicious payload, the injected script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed with the privileges of the authenticated user. The vulnerability requires that the attacker has the ability to submit crafted input to the system and that the victim user interacts with the malicious content (user interaction required). The CVSS 3.1 base score is 4.8, reflecting a medium severity rating, with an attack vector of network (remote exploitation possible), low attack complexity, but requiring high privileges and user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked, suggesting that mitigation depends on secure coding practices and input validation. The vulnerability is classified under CWE-79, which is a common and well-understood web application security issue related to improper neutralization of input leading to XSS.

Potential Impact

For European organizations, particularly educational institutions or administrative bodies using this or similar web-based student clearance systems, the impact includes potential compromise of administrator accounts and unauthorized access to sensitive student data. Exploitation could lead to theft of personally identifiable information (PII), manipulation of student records, or unauthorized administrative actions. Since the vulnerability requires high privileges to inject the payload and user interaction to trigger the exploit, the risk is somewhat mitigated but remains significant in environments where multiple administrators or staff have access to the system. The confidentiality and integrity of student data are primarily at risk, while availability is less likely to be affected. Given the sensitivity of educational data under GDPR regulations, exploitation could also result in regulatory penalties and reputational damage. The vulnerability could be leveraged as a foothold for further attacks within the network if attackers gain administrative session tokens or credentials via XSS.

Mitigation Recommendations

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially in administrative interfaces. Specifically, the txtfullname parameter must be sanitized to neutralize HTML and JavaScript content before rendering. Employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Additionally, multi-factor authentication (MFA) for administrative accounts can reduce the risk of session hijacking. Regular security audits and code reviews focusing on injection vulnerabilities should be conducted. Since no official patch is available, organizations should consider isolating the affected system or restricting access to trusted administrators only. Monitoring logs for unusual input patterns or repeated failed attempts to inject scripts can help detect exploitation attempts early. Finally, educating administrative users about the risks of clicking on suspicious links or payloads within the system can reduce the likelihood of successful exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-11-14T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983dc4522896dcbef48f

Added to database: 5/21/2025, 9:09:17 AM

Last enriched: 6/24/2025, 9:19:32 PM

Last updated: 8/17/2025, 11:36:01 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats