In October 2022, a significant security flaw was discovered in the Blood Donor Management System 1., a popular open-source web application developed by PHPGurukul. This vulnerability, assigned as CVE-2022-40470, allowed malicious users to inject JavaScript code (known as Cross Site Scripting, or XSS) into the system through the feature for adding a new blood group.
In this post, we’ll explain how this vulnerability works, why it’s dangerous, provide a step-by-step walk through with code snippets, and link to more resources so you can learn how to protect your web applications. No advanced programming knowledge needed—just a bit of curiosity about how hackers can twist the simplest code mistakes!
What is CVE-2022-40470?
CVE-2022-40470 is an “authenticated” Reflected XSS vulnerability found in phpgurukul Blood Donor Management System version 1..
Where’s the Problem?
The weakness occurs in the Add Blood Group Name feature, where administrators can define new blood groups. The input field that grabs the blood group’s name does not filter or sanitize special characters, HTML, or scripts.
An attacker with access to the admin panel could insert JavaScript code into this field, which would then be executed whenever someone visited the blood group listing.
1. Logging in
Attackers first log into the admin dashboard with valid credentials (maybe a weak/default password, or through other means).
2. Navigating to the Add Blood Group Page
After login, the attacker heads to the section where they can add a new blood group, usually at a URL like:
/admin/add-blood-group.php
Instead of a normal blood group like O+, the attacker submits
<script>alert('XSS!')</script>
Sample malicious form data
POST /admin/add-blood-group.php HTTP/1.1
Host: victim-site.com
...
bloodgroupname=<script>alert('XSS!')</script>
4. The XSS is Triggered
Whenever an admin, staff member, or anyone with access views the listing of blood groups, their browser will execute the injected JavaScript code. In this test case, they’ll see a popup ("XSS!") but real attackers might steal cookies, session data, or redirect admins to a phishing page.
Relevant vulnerable code (seen in the wild)
<?php
if(isset($_POST['submit'])) {
$bgroup=$_POST['bloodgroupname'];
// No sanitization on $bgroup
$sql="INSERT INTO tblbloodgroup (BloodGroup) VALUES ('$bgroup')";
...
}
?>
Later in the records list
<?php
// Fetching blood groups
while($row = $query->fetch_assoc()){
echo "<td>".$row['BloodGroup']."</td>"; // Vulnerable to XSS!
}
?>
Browser exploit: Launch browser-based attacks against other users.
- Privilege Escalation: An attacker with low-level admin access could use XSS to take over other accounts.
How To Fix
Sanitize inputs! Always filter and encode user inputs.
For example, change the echo statement to
echo "<td>".htmlspecialchars($row['BloodGroup'])."</td>";
This ensures that any tags are shown as plain text, not as HTML/JavaScript.
`
alert('Hi! Got XSS');
Original References
- CVE Details Entry: CVE-2022-40470
- Exploit-DB #51027
- Vendor page, PHPGurukul Blood Donor Management System
Conclusion
CVE-2022-40470 shows how critical it is to sanitize and escape user input, even on what seem like harmless admin pages. Small oversights like these can lead to big breaches. If you use PHPGurukul’s Blood Donor Management System, make sure to patch this hole immediately. Review your code—any input that shows up in HTML should be treated as dangerous.
Stay safe, code smart!
If you want to test or see more details, check out the full documentation and patch advices on the NVD and Exploit-DB.
Timeline
Published on: 11/21/2022 16:15:00 UTC
Last modified on: 11/22/2022 01:07:00 UTC