9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-1457

GHSA ID

GHSA-8wp2-vxpg-xcvp

EPSS Score

0.57073%

CWE

CWE-79

Published

4/26/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1457

CVE-2022-1457: Cross site scripting in facturascripts

facturasripts is an open source ERP software. Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

(GitHub Advisory)

9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-1457

GHSA ID

GHSA-8wp2-vxpg-xcvp

EPSS Score

0.57073%

CWE

CWE-79

Published

4/26/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neorazorx/facturascripts	composer	< 2022.04	2022.04

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The key evidence comes from the patch diff showing the addition of HTML sanitization (self::toolBox()::utils()::noHtml()) to the $newValue assignment in setColumnOption. This function handles user-controlled 'title' parameter input for page options. Before the patch, the lack of output encoding made stored XSS possible when rendering these titles. The vulnerability matches the CVE description of XSS in title parameters affecting user/product edit pages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***tur*sripts is *n op*n sour** *RP so*tw*r*. Stor* XSS in titl* p*r*m*t*r *x**utin* *t **itUs*r P*** & **itPro*u*to p*** in *it*u* r*pository n*or*zorx/***tur*s*ripts prior to ****.**. *ross-sit* s*riptin* *tt**ks **n **v* **v*st*tin* *ons*qu*n**s.

Reasoning

T** k*y *vi**n** *om*s *rom t** p*t** *i** s*owin* t** ***ition o* *TML s*nitiz*tion (s*l*::tool*ox()::utils()::no*tml()) to t** $n*wV*lu* *ssi*nm*nt in s*t*olumnOption. T*is *un*tion **n*l*s us*r-*ontroll** 'titl*' p*r*m*t*r input *or p*** options.

9

Basic Information

Concerned about an active attack path?

CVE-2022-1457: Cross site scripting in facturascripts

9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI