CVE-2024-22220 is a stored cross-site scripting vulnerability identified in Terminalfour versions 7.4 through 7.4.0004 QP3, 8 through 8.3.19, and Formbank through 2.1.10-FINAL. The vulnerability arises from insufficient input sanitization in the Form Builder and Form Preview components, allowing an attacker to inject malicious JavaScript code that is persistently stored and executed in the context of administrative users. This type of stored XSS can lead to session hijacking by stealing authentication cookies or tokens, enabling attackers to impersonate administrators and potentially gain unauthorized control over the affected web application. The attack vector is remote network exploitation (AV:N), with low attack complexity (AC:L) and requiring low privileges (PR:L), but no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as indicated by the CVSS 3.1 score of 6.3. Although no public exploits are currently known, the presence of stored XSS in administrative interfaces is a significant risk, especially in environments where Terminalfour and Formbank are used for content and form management. The vulnerability is cataloged under CWE-79, highlighting improper neutralization of input during web page generation as the root cause.

The primary impact of CVE-2024-22220 is the potential for administrative session hijacking through stored XSS attacks, which can lead to unauthorized access to sensitive administrative functions and data. This can result in data breaches, unauthorized content modification, and disruption of web services managed by Terminalfour and Formbank. Organizations relying on these platforms for content management and form processing may face reputational damage, compliance violations, and operational downtime. Since the vulnerability allows unauthenticated attackers to inject malicious scripts, the attack surface is broad, increasing the risk of exploitation. The compromise of admin sessions can also facilitate further attacks within the network, including privilege escalation and lateral movement. Although the CVSS score is medium, the consequences of a successful exploit can be severe, especially in sectors where these platforms are critical for public-facing websites or internal workflows.

To mitigate CVE-2024-22220, organizations should immediately apply any available patches or updates provided by the vendors of Terminalfour and Formbank. In the absence of patches, implement strict input validation and output encoding on all form inputs, especially within the Form Builder and Form Preview features, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. Limit administrative access to trusted networks and enforce multi-factor authentication (MFA) to reduce the risk of session hijacking. Regularly audit and monitor logs for suspicious activities related to form submissions and administrative sessions. Additionally, consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting these applications. Educate administrators about the risks of XSS and encourage prompt reporting of unusual behavior.