CVE-2022-3949 - Exploiting XSS in Sourcecodester Simple Cashiering System via User Account Handler

In late 2022, a medium-severity vulnerability—classified as problematic—was discovered in the Sourcecodester Simple Cashiering System, a open-source PHP platform popular for small business cashiering needs. This issue, tracked as CVE-2022-3949 (VDB-213455), involves a Cross-Site Scripting (XSS) flaw through improper handling of user input, specifically the fullname parameter in the User Account Handler component. For attackers, this presents a way to remotely inject malicious scripts, resulting in theft of session data, account compromise, or redirecting users to malicious websites.

Below, we break down how the vulnerability works, how it can be exploited (with a code example), and best mitigation practices.

Vulnerable Parameter: fullname

- CVE Entry: CVE-2022-3949
- VulDB Record: VDB-213455

Vulnerability Details

The application fails to sanitize user-supplied input for the fullname parameter. When adding or editing a user account, whatever is entered for fullname gets echoed back into the web page without proper escaping or filtering. This classic reflected/stored XSS scenario allows malicious JavaScript code to execute in the context of an unsuspecting victim.

Exploitation Example

Suppose you’re adding a new user and the registration form accepts a "Full Name." An attacker can inject JavaScript as follows:

Proof-of-Concept (PoC) Attack

Payload:

Let's say the attacker enters this as the "Full Name"

<script>alert('XSS');</script>

If the application returns this input on a user profile or admin page without encoding, the JavaScript runs as soon as anyone (e.g., an admin) views the infected page.

Exploit Steps

1. Navigate to user registration or edit profile form (/user_add.php, /user_edit.php, etc.).

`

Wait for a privileged user (like an admin) to view the user list or specific profile page.

5. The script runs in their browser, sending the admin’s session cookie to the attacker's remote server.

Here’s a simplified (vulnerable) PHP code section responsible for displaying user information

echo "<td>" . $_POST['fullname'] . "</td>";

No sanitization is applied. The correct way is to use htmlspecialchars()

echo "<td>" . htmlspecialchars($_POST['fullname'], ENT_QUOTES, 'UTF-8') . "</td>";

Responsible Disclosure

- Official CVE: CVE-2022-3949 on MITRE
- Original Database Reference: https://vuldb.com/?id.213455

Unfortunately, as of this writing, there is no official patch released by Sourcecodester for this version. Administrators should apply code-level fixes as shown above, or filter all user input and encode output on all affected pages.

Conclusion

CVE-2022-3949 demonstrates how a lack of basic input/output neutralization can leave web applications wide open to XSS attacks. Even small platforms like Sourcecodester’s Simple Cashiering System are on hackers' radar. Proper validation and encoding—on every user input—remains critical for securing any PHP web application.

For more details, visit the official vulnerability records:
- MITRE CVE-2022-3949
- VulDB VDB-213455

Timeline

Published on: 11/11/2022 13:15:00 UTC
Last modified on: 11/15/2022 20:20:00 UTC