6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-1571

GHSA ID

GHSA-m8gv-gvhf-7rhp

EPSS Score

0.53302%

CWE

CWE-79

Published

5/5/2022

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1571

CVE-2022-1571: Cross-site Scripting in FacturaScripts

FacturaScripts versions 2022.06 and prior are vulnerable to reflected cross-site scripting attacks. This vulnerability can use arbitrarily executed javascript code to steal users' cookies, perform HTTP request, get content of same origin page, etc. A fix is available on the master branch of the GitHub repository and anticipated to be part of version 2022.07.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-1571

GHSA ID

GHSA-m8gv-gvhf-7rhp

EPSS Score

0.53302%

CWE

CWE-79

Published

5/5/2022

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
facturascripts/facturascripts	composer	<= 2022.06	2022.07

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing HTML sanitization in model field processing. The patch adds noHtml() calls to these fields within the test() method, indicating they were previously unescaped. The test() function's role in data validation and preparation for output makes it the logical injection point for XSS payloads. The direct correlation between the vulnerability description (reflected XSS via model fields) and the patched code location confirms this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***tur*S*ripts v*rsions ****.** *n* prior *r* vuln*r**l* to r**l**t** *ross-sit* s*riptin* *tt**ks. T*is vuln*r**ility **n us* *r*itr*rily *x**ut** j*v*s*ript *o** to st**l us*rs' *ooki*s, p*r*orm *TTP r*qu*st, **t *ont*nt o* `s*m* ori*in` p***, *t*.

Reasoning

T** vuln*r**ility st*ms *rom missin* *TML s*nitiz*tion in mo**l *i*l* pro**ssin*. T** p*t** ***s `no*tml()` **lls to t**s* *i*l*s wit*in t** `t*st()` m*t*o*, in*i**tin* t**y w*r* pr*viously un*s**p**. T** `t*st()` *un*tion's rol* in **t* v*li**tion *

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-1571: Cross-site Scripting in FacturaScripts

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI