### Critical Vulnerability Information - **CVE**: CVE-2022-3002 (Published) - **Vulnerability Type**: CWE-79: Cross-site Scripting (XSS) - Stored - **Severity**: Medium (5.4) - **Affected Versions**: 6.4.0 - **Visibility**: Public - **Status**: Fixed - **Discoverer**: thanhlocpanda (@thanhlocstudent) ### Vulnerability Description The application uses Purifier to prevent cross-site scripting attacks. However, when accessing the "BusinessHours" module from "Settings", the "name" parameter is of type "text" but is not validated. It is directly used in EditViewBlocks.tpl without any encoding or validation. This allows attackers to inject arbitrary JavaScript code and perform a stored XSS attack. ### Proof of Concept 1. Log in to the application. 2. Access the BusinessHours module (edit) via the following URL: ``` https://gitstable.yetiforce.com/index.php?module=BusinessHours&parent=Settings&view=Edit&record={id} ``` 3. Replace `{id}` in the URL above with a valid record ID. Change the value of the "name" parameter to the following payload: ```html BusinessHours" onfocus="alert(document.domain)" autofocus "=" ``` ### Impact XSS attacks allow attackers to execute arbitrary JavaScript within the context of the victim's website and user session. This can be exploited to steal session cookies, perform actions on behalf of the victim, or conduct phishing attacks. ### Location - EditViewBlocks.tpl L32