CVE-2022-37153
published 2022-08-24CVE-2022-37153: An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.39%
69.0th percentile
An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| articatech | artica_proxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /fw.login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
userfont=&artica-language=&StandardDropDown=&HTMLTITLE=&username=admin&password=admin%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
versionArtica Proxy 4.30.000000
- →Look for reflected XSS payload in HTTP response body: the string 'Password" value="admin">alert(document.domain)' appearing in the page body indicates successful exploitation of the password parameter reflection.
- →Detect exploitation attempts by monitoring POST requests to /fw.login.php where the password parameter contains URL-encoded HTML/script injection characters (e.g., %22%3E%3Cscript%3E).
- →Identify Artica Proxy instances via Shodan/FOFA fingerprinting on HTML body containing 'Artica' or 'artica' strings.
- →Vulnerable endpoint responds with HTTP 200 and Content-Type: text/html, with both the reflected XSS payload and 'Artica Web' present in the response body.
- ·The XSS is reflected via the password parameter — exploitation requires user interaction (UI:R) as a victim must submit or load the crafted login form for the payload to execute.
- ·Vulnerability is confirmed only on Artica Proxy version 4.30.000000; other versions are not specified as affected.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hf2f-4m5m-v72p: An issue was discovered in Artica Proxy 4
ghsa_unreviewed·2022-08-25
CVE-2022-37153 [MEDIUM] CWE-79 GHSA-hf2f-4m5m-v72p: An issue was discovered in Artica Proxy 4
An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.
VulnCheck
articatech artica_proxy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2022·CVSS 6.1
CVE-2022-37153 [MEDIUM] articatech artica_proxy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
articatech artica_proxy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.
Affected: articatech artica_proxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://viz.greynoise.io/tags/artica-proxy-password-parameter-cve-2022-37153-xss-check
No detection rules found.
Nuclei
Artica Proxy 4.30.000000 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-37153 [MEDIUM] Artica Proxy 4.30.000000 - Cross-Site Scripting
Artica Proxy 4.30.000000 - Cross-Site Scripting
Artica Proxy 4.30.000000 contains a cross-site scripting vulnerability via the password parameter in /fw.login.php.
Template:
id: CVE-2022-37153
info:
name: Artica Proxy 4.30.000000 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
Artica Proxy 4.30.000000 contains a cross-site scripting vulnerability via the password parameter in /fw.login.php.
impact: |
Attackers can inject malicious JavaScript through the password parameter in the Artica Proxy login page that reflects back to users, potentially stealing credentials or session tokens when victims submit the login form.
remediation: |
Upgrade to a patched version of Artica Proxy or apply the vendor-supplied patch to mitigate the vulnerability.
reference:
- https
2022-08-24
Published
Exploited in the wild