cbcvebase.
CVE-2022-33098
published 2022-07-07

CVE-2022-33098: Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to…

PriorityP353medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
50.54%
98.8th percentile
Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Affected

1 ranges
VendorProductVersion rangeFixed in
magnolia-cmsmagnolia_cms

Detection & IOCsextracted from sources · hover to see the quote

url/magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1
filenamexss.svg
urlhttps://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip
  • Monitor for POST requests to the Magnolia CMS upload endpoint path pattern /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/ containing multipart file uploads with Content-Type: image/svg+xml, which is the delivery vector for the malicious SVG payload.
  • Alert on file uploads where the declared Content-Type is image/svg+xml but the filename has an .svg extension and the body contains JavaScript (e.g., <script> tags or alert() calls), indicating a stored XSS attempt via SVG upload.
  • The exploit targets the Edit Contact / profile picture upload functionality. Inspect SVG files uploaded to Magnolia CMS contact profiles for embedded JavaScript or event handlers.
  • ·The exploit requires an authenticated user account with permissions to upload a profile picture for a contact. Unauthenticated exploitation is not possible; restrict the upload permission to trusted roles.
  • ·The upload endpoint path segment (e.g., /0/140/action/<UUID>) may vary per session or instance; detection rules should use a wildcard/regex on the /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/ prefix rather than the exact path.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.