CVE-2022-46888
published 2023-01-19CVE-2022-46888: Multiple reflective cross-site scripting (XSS) vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the…
PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.54%
71.8th percentile
Multiple reflective cross-site scripting (XSS) vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nexusphp | nexusphp | < 1.7.33 | 1.7.33 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
NexusPHP <1.7.33 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-46888 [MEDIUM] NexusPHP <1.7.33 - Cross-Site Scripting
NexusPHP alert(document.domain)'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'value="">alert(document.domain)">'
- 'NexusPHP'
case-insensitive: true
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a00483046022100b963773fd17448615b04441490d915646272c3c6e16e6a976ec8190be9c7ffb7022100dec8bfb684052281605efd88614c8410ce2d19beb32db8ea9cdf41a3702e6ef5:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://github.com/xiaomlove/nexusphp/releases/tag/v1.7.33https://www.surecloud.com/resources/blog/nexusphp-surecloud-security-review-identifies-authenticated-unauthenticated-vulnerabilitieshttps://github.com/xiaomlove/nexusphp/releases/tag/v1.7.33https://www.surecloud.com/resources/blog/nexusphp-surecloud-security-review-identifies-authenticated-unauthenticated-vulnerabilities
2023-01-19
Published