In this article, we’ll do a step-by-step walkthrough of CVE-2022-45472 – a DOM-based Cross Site Scripting vulnerability impacting CAE LearningSpace Enterprise (with Intuity License) image 267r, patch 639. If you’re running a medical simulation system like LearningSpace, read on: I’ll show you what’s exploitable, demonstrate a real code snippet, and share links to original advisories. Most important, I’ll break down what *you* can do about it.
What Is CAE LearningSpace Enterprise?
CAE LearningSpace is a popular healthcare education/medical simulation platform. The “Enterprise” flavor, with “Intuity License,” is used for running detailed simulation exercises, including video capture and scenario management. Security here matters—a lot.
The Core Vulnerability
CVE-2022-45472 highlights a DOM-based Cross-Site Scripting (XSS) flaw—*not* the usual reflected or stored server XSS, but JavaScript-in-the-browser.
Targeted version:
Technical Details
A specific JavaScript file (not specified in the public advisory) inspects URL parameters, then directly inserts them into the page without proper escaping. The flaw revolves around the use of mobile event handlers like ontouchmove and onpointerup in HTML attributes—these can be abused to inject arbitrary scripts.
Here is a simplified recreation
// CAE LearningSpace code snippet (simplified for demonstration)
const search = new URLSearchParams(window.location.search);
const unsafeValue = search.get('next');
if (unsafeValue) {
document.getElementById('next-action')
.setAttribute('ontouchmove', unsafeValue); // BAD: No sanitization!
}
With this, an attacker creates a *crafted* URL
https://your-learningspace-server/somepage?next=alert('XSS');//";
Any JavaScript in next is executed when the user touches/moves over that element.
`
https://vulnerable-enable.com/page?next=alert('Hacked')
Attacker sends this link to users (email, internal chat, etc).
3. When the user interacts with the vulnerable element (ontouchmove or onpointerup), the malicious code executes in their browser context.
Impact: Attacker can
- Steal cookies/session tokens
Let’s build a basic PoC
<!-- PoC HTML payload -->
<a href="https://your-learningspace-server/somepage?next=alert(document.cookie)">;
Click here to see a demo
</a>
If the victim clicks and then interacts with the vulnerable page, a popup will display their session cookie.
If you use onpointerup instead, similarly dangerous
document.getElementById('next-action')
.setAttribute('onpointerup', unsafeValue);
The exploitation route is the same: interactive attribute injection, script execution.
References
- NIST National Vulnerability Database CVE-2022-45472
- MITRE CVE Entry
- Original Advisory Example (CERT/CC)
- CAE LearningSpace Product Page
How to Fix and Protect Yourself
Short-term:
- Block, on load balancer or firewall, suspicious crafted URLs containing unexpected event handler code.
Notify users to beware of suspicious LearningSpace URLs.
Long-term (Developer fix):
- Validate and sanitize ALL user-supplied parameters before injecting them into the DOM, especially in event handlers.
- Use libraries like DOMPurify to clean HTML/JS inputs.
- Update your CAE LearningSpace appliance to a version with a patch for CVE-2022-45472. Contact CAE support for the latest.
Even enterprise medical platforms can suffer critical DOM XSS.
- Mobile/touch attributes like ontouchmove and onpointerup easily become overlooked attack surfaces.
Regularly patch and monitor public CVEs for your exact product version.
If you use LearningSpace with Intuity License, version image 267r patch 639, act *right now*: audit your systems, block exploit URLs, and schedule an update!
*Written exclusively for StackSecurity – Secure your simulations, secure your data.*
Timeline
Published on: 11/23/2022 06:15:00 UTC
Last modified on: 11/26/2022 03:36:00 UTC