CVE-2022-45223: n/a in n/a
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.
AI Analysis
Technical Summary
CVE-2022-45223 is a medium-severity cross-site scripting (XSS) vulnerability identified in the Web-Based Student Clearance System version 1.0, specifically within the /Admin/add-student.php endpoint. The vulnerability arises from improper sanitization or validation of user-supplied input in the txtfullname parameter, which allows an attacker to inject arbitrary HTML or JavaScript code. When an administrator or authorized user accesses the affected page with the malicious payload, the injected script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed with the privileges of the authenticated user. The vulnerability requires that the attacker has the ability to submit crafted input to the system and that the victim user interacts with the malicious content (user interaction required). The CVSS 3.1 base score is 4.8, reflecting a medium severity rating, with an attack vector of network (remote exploitation possible), low attack complexity, but requiring high privileges and user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked, suggesting that mitigation depends on secure coding practices and input validation. The vulnerability is classified under CWE-79, which is a common and well-understood web application security issue related to improper neutralization of input leading to XSS.
Potential Impact
For European organizations, particularly educational institutions or administrative bodies using this or similar web-based student clearance systems, the impact includes potential compromise of administrator accounts and unauthorized access to sensitive student data. Exploitation could lead to theft of personally identifiable information (PII), manipulation of student records, or unauthorized administrative actions. Since the vulnerability requires high privileges to inject the payload and user interaction to trigger the exploit, the risk is somewhat mitigated but remains significant in environments where multiple administrators or staff have access to the system. The confidentiality and integrity of student data are primarily at risk, while availability is less likely to be affected. Given the sensitivity of educational data under GDPR regulations, exploitation could also result in regulatory penalties and reputational damage. The vulnerability could be leveraged as a foothold for further attacks within the network if attackers gain administrative session tokens or credentials via XSS.
Mitigation Recommendations
To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially in administrative interfaces. Specifically, the txtfullname parameter must be sanitized to neutralize HTML and JavaScript content before rendering. Employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Additionally, multi-factor authentication (MFA) for administrative accounts can reduce the risk of session hijacking. Regular security audits and code reviews focusing on injection vulnerabilities should be conducted. Since no official patch is available, organizations should consider isolating the affected system or restricting access to trusted administrators only. Monitoring logs for unusual input patterns or repeated failed attempts to inject scripts can help detect exploitation attempts early. Finally, educating administrative users about the risks of clicking on suspicious links or payloads within the system can reduce the likelihood of successful exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2022-45223: n/a in n/a
Description
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.
AI-Powered Analysis
Technical Analysis
CVE-2022-45223 is a medium-severity cross-site scripting (XSS) vulnerability identified in the Web-Based Student Clearance System version 1.0, specifically within the /Admin/add-student.php endpoint. The vulnerability arises from improper sanitization or validation of user-supplied input in the txtfullname parameter, which allows an attacker to inject arbitrary HTML or JavaScript code. When an administrator or authorized user accesses the affected page with the malicious payload, the injected script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed with the privileges of the authenticated user. The vulnerability requires that the attacker has the ability to submit crafted input to the system and that the victim user interacts with the malicious content (user interaction required). The CVSS 3.1 base score is 4.8, reflecting a medium severity rating, with an attack vector of network (remote exploitation possible), low attack complexity, but requiring high privileges and user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked, suggesting that mitigation depends on secure coding practices and input validation. The vulnerability is classified under CWE-79, which is a common and well-understood web application security issue related to improper neutralization of input leading to XSS.
Potential Impact
For European organizations, particularly educational institutions or administrative bodies using this or similar web-based student clearance systems, the impact includes potential compromise of administrator accounts and unauthorized access to sensitive student data. Exploitation could lead to theft of personally identifiable information (PII), manipulation of student records, or unauthorized administrative actions. Since the vulnerability requires high privileges to inject the payload and user interaction to trigger the exploit, the risk is somewhat mitigated but remains significant in environments where multiple administrators or staff have access to the system. The confidentiality and integrity of student data are primarily at risk, while availability is less likely to be affected. Given the sensitivity of educational data under GDPR regulations, exploitation could also result in regulatory penalties and reputational damage. The vulnerability could be leveraged as a foothold for further attacks within the network if attackers gain administrative session tokens or credentials via XSS.
Mitigation Recommendations
To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially in administrative interfaces. Specifically, the txtfullname parameter must be sanitized to neutralize HTML and JavaScript content before rendering. Employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Additionally, multi-factor authentication (MFA) for administrative accounts can reduce the risk of session hijacking. Regular security audits and code reviews focusing on injection vulnerabilities should be conducted. Since no official patch is available, organizations should consider isolating the affected system or restricting access to trusted administrators only. Monitoring logs for unusual input patterns or repeated failed attempts to inject scripts can help detect exploitation attempts early. Finally, educating administrative users about the risks of clicking on suspicious links or payloads within the system can reduce the likelihood of successful exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-11-14T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983dc4522896dcbef48f
Added to database: 5/21/2025, 9:09:17 AM
Last enriched: 6/24/2025, 9:19:32 PM
Last updated: 8/15/2025, 10:44:36 AM
Views: 12
Related Threats
CVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumCVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.