CVE-2022-44787 in Appalti & Contratti
Summary
by MITRE • 11/22/2022
An issue was discovered in Appalti & Contratti 9.12.2. The web applications are vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the victim moves the mouse pointer inside the page. As an example, the onmouseenter attribute is not sanitized.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/30/2025
The vulnerability identified as CVE-2022-44787 resides within the Appalti & Contratti web application version 9.12.2, representing a critical security flaw that exposes users to reflected cross-site scripting attacks. This issue stems from improper input validation and output encoding practices within the application's response handling mechanisms. The vulnerability specifically affects the idPagina parameter which is processed and returned in server responses without appropriate HTML encoding, creating an exploitable vector for malicious script injection.
The technical implementation of this vulnerability demonstrates a classic reflected XSS flaw where user-supplied input flows directly into the application's output without sanitization. When the idPagina parameter is included in the HTTP request and subsequently reflected in the server response, the application fails to encode special HTML characters that could otherwise neutralize malicious script payloads. This particular implementation allows attackers to inject malicious JavaScript code that executes when users interact with the page, specifically triggering when mouse pointer movement occurs within the affected element. The onmouseenter attribute serves as a prime example of how the vulnerability can be exploited, as it represents a client-side event handler that can be manipulated through the reflected parameter.
The operational impact of this vulnerability extends beyond simple script execution, as it creates potential pathways for attackers to perform session hijacking, steal sensitive user data, or redirect victims to malicious websites. The fact that the XSS triggers during mouse movement indicates that the attack vector requires minimal user interaction beyond normal browsing behavior, making it particularly dangerous in real-world scenarios. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1531 which focuses on credential access through malicious scripts. The reflected nature of the vulnerability means that attackers can craft malicious URLs that, when clicked by victims, immediately execute the injected payloads without requiring any persistent modifications to the application.
Mitigation strategies for this vulnerability must address both the immediate code-level issues and broader security practices within the application. The primary solution involves implementing proper HTML encoding for all user-supplied input before rendering it in the application's output, particularly for attributes like onmouseenter that can be manipulated. Additionally, developers should implement Content Security Policy headers to limit the execution of inline scripts and establish proper input validation mechanisms that filter out potentially dangerous characters. The application should also employ a comprehensive output encoding strategy that treats all user-supplied data as untrusted and applies appropriate escaping based on the context where the data will be rendered. Security teams should conduct regular vulnerability assessments and code reviews focusing on input validation and output encoding practices to prevent similar issues from emerging in other application components.