CVE CyberSecurity Database News

CVE-2022-45221 - Exploiting XSS in Web-Based Student Clearance System v1. (changepassword.php Vulnerability Explained)

Poster -

---

Introduction

Security holes in educational web applications can have serious consequences. One of those vulnerabilities, CVE-2022-45221, affects the Web-Based Student Clearance System v1.. It allows attackers to perform Cross-Site Scripting (XSS) attacks by exploiting the changepassword.php page. In this post, I’ll break down what the vulnerability is, show a real example, and explain how it could be used by a malicious hacker.

What is CVE-2022-45221?

The Web-Based Student Clearance System v1. helps schools and universities manage student clearance online. Researchers discovered that when users change their password, the application's changepassword.php does not properly sanitize the input received from the txtnew_password field. As a result, an attacker can inject and run malicious scripts or HTML on a victim's browser—a classic Stored XSS vulnerability.

Why is this Serious?

When an application fails to clean user inputs before showing them on a page, attackers can trick users into running harmful scripts. These scripts can:

Where’s the XSS?

The XSS is present on this page:
/changepassword.php
Specifically, in the txtnew_password parameter, where the new password is supposed to be entered.

Here’s a simple version of what might be happening in the vulnerable PHP code

<?php
// User submits new password
if (isset($_POST['txtnew_password'])) {
    $new_password = $_POST['txtnew_password'];
    // Some code to update password

    // Feedback to user
    echo "Your new password is: " . $new_password;
}
?>

Problem: The value from $_POST['txtnew_password'] is printed directly with no filtering, so any JavaScript or HTML code inside it will be run on the page.

Crafting an Exploit

Let’s say an attacker wants to steal a user’s cookie. They could submit this payload as their new password:

"><script>alert(document.cookie)</script>

What happens?

- The next time that password value is ever displayed to the user (maybe in a feedback message), the browser will execute the <script> tag.
- alert(document.cookie) will pop up a box with the user's cookie, but in a real attack, this could be replaced with code to steal the cookie and send it to the attacker.

Proof of Concept

You could use a simple tool like Burp Suite, your browser, or curl to submit the following POST request:

POST /changepassword.php HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

txtold_password=oldpass123&txtnew_password="><script>alert(document.cookie)</script>

After submitting, as soon as the page loads the new password echo, the script pops and reveals the cookie.

Real-World Impact

If an administrator or user with more privileges is tricked into clicking a crafted link or submitting a malicious new password, an attacker could take over accounts, change data, or perform actions without permission.

How to Fix

Developers should always sanitize and encode output. Use PHP’s htmlspecialchars() to prevent script injection:

echo "Your new password is: " . htmlspecialchars($new_password, ENT_QUOTES, 'UTF-8');

References

- NVD: CVE-2022-45221
- Exploit-DB: 51444
- Original Advisory (Packet Storm)

Conclusion

CVE-2022-45221 is a classic XSS bug in change password forms. Even simple tools and payloads can abuse it due to the lack of output sanitization. If you run Web-Based Student Clearance System v1., update or patch your copy ASAP and check for similar vulnerabilities elsewhere in your application.

Remember: Never trust user input. Always sanitize before output.

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 11/30/2022 05:00:00 UTC