CVE-2022-41445 - Exploiting XSS in CodeIgniter Record Management System - Add Subject Page Vulnerability

In late 2022, a critical cross-site scripting (XSS) vulnerability was discovered in the Record Management System using CodeIgniter version 1.. Tracked as CVE-2022-41445, this flaw allows attackers to execute arbitrary JavaScript or HTML within a victim’s browser—just by injecting a malicious payload into the “Add Subject” page.

This article will break down what the vulnerability is, show you some code examples, explain step-by-step how it can be exploited, and share key references for further reading.

What is CVE-2022-41445?

CVE-2022-41445 is a reflected/stored XSS vulnerability that affects the CodeIgniter 1.-based Record Management System, specifically the subject addition feature. It lets attackers submit custom web scripts that will execute in the browsers of users viewing the compromised data.

How The Vulnerability Works

The “Add Subject” function allows users (usually admins or managers) to add new school or college subjects to the system. The vulnerable system does not properly sanitize the input fields, meaning dangerous code can slip right through.

Here’s a simplified version of the vulnerable code

// add_subject.php (controller/handler)
$subject = $_POST['subject']; // <-- No sanitization!
// Insert the submitted subject into the database
$query = "INSERT INTO subjects (subject_name) VALUES ('$subject')";
mysqli_query($conn, $query);

Later, the subject name is rendered like so

// subjects_list.php (view)
echo "<td>{$row['subject_name']}</td>"; // Direct output!

If the subject name contains JavaScript, it will be executed in the browser of anyone viewing the subjects list.

An attacker can submit input like

<script>alert('XSS by attacker');</script>

2. Submitting the Payload

- Visit the “Add Subject” page (often at /subject_add.php or similar)

3. Triggering The XSS

Whenever someone—like an admin, teacher, or another user—views the list of subjects, the browser receives:

<td><script>alert('XSS by attacker');</script></td>

This immediately triggers the JavaScript, showing an alert, but in real attacks, the code could steal session cookies or perform other malicious actions.

4. Possible Real-World Impacts

- Session Hijacking: The attacker could grab your cookies with document.cookie and send them to a server they control.

Injected on the Add Subject page

"><script>alert('Record Management System XSS!')</script>

HTML Output after input is stored and retrieved

<tr>
  <td>"><script>alert('Record Management System XSS!')</script></td>
</tr>

If you open the subjects list, the alert triggers.

`php

echo "" . htmlspecialchars($row['subject_name'], ENT_QUOTES, 'UTF-8') . "";

References and Further Reading

- NIST CVE-2022-41445 Entry
- Original Exploit Disclosure
- OWASP XSS Prevention Cheat Sheet
- PHP Manual: htmlspecialchars()

Summary

CVE-2022-41445 in CodeIgniter 1.-based Record Management System is a classic but dangerous XSS bug. All user-submitted input must always be sanitized and escaped before storage and display, especially in sensitive systems like record management. Never trust your input—validate, escape, and always think like an attacker!

If you manage a Record Management System using CodeIgniter, make sure you’re patched or have implemented the fixes above. Stay secure!


If you have questions or need help patching your system, feel free to leave a comment or get in touch!

Timeline

Published on: 11/22/2022 14:15:00 UTC
Last modified on: 11/23/2022 19:17:00 UTC