CVE-2022-45225: n/a in n/a
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the book_title parameter.
AI Analysis
Technical Summary
CVE-2022-45225 is a cross-site scripting (XSS) vulnerability identified in the Book Store Management System v1.0, specifically within the /bsms_ci/index.php/book endpoint. The vulnerability arises due to insufficient input sanitization or output encoding of the 'book_title' parameter, allowing an attacker to inject malicious scripts or HTML content. When a crafted payload is submitted via this parameter, the system reflects it back in the web page without proper validation, enabling execution of arbitrary JavaScript in the context of the victim's browser. This type of vulnerability falls under CWE-79, which is a common web application security flaw. The CVSS v3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the attack can be performed remotely over the network without privileges but requires user interaction (e.g., the victim must click a malicious link). The vulnerability impacts confidentiality and integrity by potentially allowing theft of session cookies, user credentials, or manipulation of displayed data, but does not affect availability. The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, possibly impacting the user's session or other parts of the application. No known public exploits have been reported, and no official patches or vendor information are provided. This vulnerability is typical in web applications that fail to properly sanitize user input before rendering it in HTML pages, making it a significant risk especially in environments where users have elevated privileges or sensitive data is handled.
Potential Impact
For European organizations using the affected Book Store Management System v1.0, this vulnerability could lead to targeted attacks against employees or customers through social engineering, such as phishing emails containing malicious links exploiting the XSS flaw. Successful exploitation could result in session hijacking, unauthorized access to user accounts, or manipulation of displayed information, undermining trust and potentially leading to data leakage. While the direct impact on availability is negligible, the compromise of confidentiality and integrity could have regulatory implications under GDPR, especially if personal data is exposed or manipulated. Organizations in sectors like retail, education, or libraries using this system could face reputational damage and legal consequences. Additionally, the vulnerability could be leveraged as a stepping stone for further attacks within the network if attackers gain access to user sessions with elevated privileges. Given the medium severity and requirement for user interaction, the risk is moderate but should not be underestimated, particularly in environments with high user traffic or sensitive transactions.
Mitigation Recommendations
To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'book_title' parameter to neutralize any injected scripts. Specifically, employing context-aware encoding (e.g., HTML entity encoding) before rendering user input in the web page is essential. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting this endpoint. Security teams should conduct thorough code reviews and penetration testing focusing on input handling in the Book Store Management System. If source code access is unavailable, consider isolating or restricting access to the vulnerable application, enforcing strict Content Security Policy (CSP) headers to limit script execution, and educating users about the risks of clicking untrusted links. Monitoring web logs for suspicious requests to /bsms_ci/index.php/book with unusual 'book_title' parameters can help detect attempted exploitation. Finally, organizations should seek vendor updates or patches and apply them promptly once available, and consider migrating to more secure or actively maintained software solutions if remediation is not feasible.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
CVE-2022-45225: n/a in n/a
Description
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the book_title parameter.
AI-Powered Analysis
Technical Analysis
CVE-2022-45225 is a cross-site scripting (XSS) vulnerability identified in the Book Store Management System v1.0, specifically within the /bsms_ci/index.php/book endpoint. The vulnerability arises due to insufficient input sanitization or output encoding of the 'book_title' parameter, allowing an attacker to inject malicious scripts or HTML content. When a crafted payload is submitted via this parameter, the system reflects it back in the web page without proper validation, enabling execution of arbitrary JavaScript in the context of the victim's browser. This type of vulnerability falls under CWE-79, which is a common web application security flaw. The CVSS v3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the attack can be performed remotely over the network without privileges but requires user interaction (e.g., the victim must click a malicious link). The vulnerability impacts confidentiality and integrity by potentially allowing theft of session cookies, user credentials, or manipulation of displayed data, but does not affect availability. The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, possibly impacting the user's session or other parts of the application. No known public exploits have been reported, and no official patches or vendor information are provided. This vulnerability is typical in web applications that fail to properly sanitize user input before rendering it in HTML pages, making it a significant risk especially in environments where users have elevated privileges or sensitive data is handled.
Potential Impact
For European organizations using the affected Book Store Management System v1.0, this vulnerability could lead to targeted attacks against employees or customers through social engineering, such as phishing emails containing malicious links exploiting the XSS flaw. Successful exploitation could result in session hijacking, unauthorized access to user accounts, or manipulation of displayed information, undermining trust and potentially leading to data leakage. While the direct impact on availability is negligible, the compromise of confidentiality and integrity could have regulatory implications under GDPR, especially if personal data is exposed or manipulated. Organizations in sectors like retail, education, or libraries using this system could face reputational damage and legal consequences. Additionally, the vulnerability could be leveraged as a stepping stone for further attacks within the network if attackers gain access to user sessions with elevated privileges. Given the medium severity and requirement for user interaction, the risk is moderate but should not be underestimated, particularly in environments with high user traffic or sensitive transactions.
Mitigation Recommendations
To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'book_title' parameter to neutralize any injected scripts. Specifically, employing context-aware encoding (e.g., HTML entity encoding) before rendering user input in the web page is essential. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting this endpoint. Security teams should conduct thorough code reviews and penetration testing focusing on input handling in the Book Store Management System. If source code access is unavailable, consider isolating or restricting access to the vulnerable application, enforcing strict Content Security Policy (CSP) headers to limit script execution, and educating users about the risks of clicking untrusted links. Monitoring web logs for suspicious requests to /bsms_ci/index.php/book with unusual 'book_title' parameters can help detect attempted exploitation. Finally, organizations should seek vendor updates or patches and apply them promptly once available, and consider migrating to more secure or actively maintained software solutions if remediation is not feasible.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-11-14T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983dc4522896dcbeef4d
Added to database: 5/21/2025, 9:09:17 AM
Last enriched: 6/24/2025, 11:36:50 PM
Last updated: 7/26/2025, 12:01:38 AM
Views: 9
Related Threats
CVE-2025-8854: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in bulletphysics bullet3
HighCVE-2025-8830: OS Command Injection in Linksys RE6250
MediumCVE-2025-54878: CWE-122: Heap-based Buffer Overflow in nasa CryptoLib
HighCVE-2025-40920: CWE-340 Generation of Predictable Numbers or Identifiers in ETHER Catalyst::Authentication::Credential::HTTP
HighCarmaker’s Portal Vulnerability Could Have Allowed Hackers to Unlock Vehicles and Access Data
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.