CVE-2022-44787 in Appalti & Contrattiinfo

Summary

by MITRE • 11/22/2022

An issue was discovered in Appalti & Contratti 9.12.2. The web applications are vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the victim moves the mouse pointer inside the page. As an example, the onmouseenter attribute is not sanitized.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/30/2025

The vulnerability identified as CVE-2022-44787 resides within the Appalti & Contratti web application version 9.12.2, representing a critical security flaw that exposes users to reflected cross-site scripting attacks. This issue stems from improper input validation and output encoding practices within the application's response handling mechanisms. The vulnerability specifically affects the idPagina parameter which is processed and returned in server responses without appropriate HTML encoding, creating an exploitable vector for malicious script injection.

The technical implementation of this vulnerability demonstrates a classic reflected XSS flaw where user-supplied input flows directly into the application's output without sanitization. When the idPagina parameter is included in the HTTP request and subsequently reflected in the server response, the application fails to encode special HTML characters that could otherwise neutralize malicious script payloads. This particular implementation allows attackers to inject malicious JavaScript code that executes when users interact with the page, specifically triggering when mouse pointer movement occurs within the affected element. The onmouseenter attribute serves as a prime example of how the vulnerability can be exploited, as it represents a client-side event handler that can be manipulated through the reflected parameter.

The operational impact of this vulnerability extends beyond simple script execution, as it creates potential pathways for attackers to perform session hijacking, steal sensitive user data, or redirect victims to malicious websites. The fact that the XSS triggers during mouse movement indicates that the attack vector requires minimal user interaction beyond normal browsing behavior, making it particularly dangerous in real-world scenarios. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1531 which focuses on credential access through malicious scripts. The reflected nature of the vulnerability means that attackers can craft malicious URLs that, when clicked by victims, immediately execute the injected payloads without requiring any persistent modifications to the application.

Mitigation strategies for this vulnerability must address both the immediate code-level issues and broader security practices within the application. The primary solution involves implementing proper HTML encoding for all user-supplied input before rendering it in the application's output, particularly for attributes like onmouseenter that can be manipulated. Additionally, developers should implement Content Security Policy headers to limit the execution of inline scripts and establish proper input validation mechanisms that filter out potentially dangerous characters. The application should also employ a comprehensive output encoding strategy that treats all user-supplied data as untrusted and applies appropriate escaping based on the context where the data will be rendered. Security teams should conduct regular vulnerability assessments and code reviews focusing on input validation and output encoding practices to prevent similar issues from emerging in other application components.

Reservation

11/07/2022

Disclosure

11/22/2022

Moderation

accepted

CPE

ready

EPSS

0.00423

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!