CVE-2022-40840 - NDK Design's NdkAdvancedCustomizationFields 3.5. Vulnerable to Cross Site Scripting (XSS) in createPdf.php

NDK Design, a popular web development company, has been found to have a critical vulnerability, CVE-2022-40840, in its NdkAdvancedCustomizationFields version 3.5. module. Specifically, an XSS (Cross Site Scripting) vulnerability has been discovered in the createPdf.php file, making it susceptible to potential malicious attacks. In this post, we will delve into the details of the vulnerability, examining the malicious code snippet, linking to original references, and providing crucial information on the exploit.

Vulnerability Details

Cross Site Scripting, commonly known as XSS, is a security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. In the case of CVE-2022-40840, the issue arises from user input being outputted directly into the createPdf.php file without proper sanitization or escaping.

The vulnerability can be exploited by an attacker who submits carefully crafted input to the vulnerable application which then displays the malicious input to other users. The displayed content could be crafted in a way to steal sensitive information, such as session cookies or personal information, or even control the user's interaction with the website.

Here is a code snippet from the vulnerable createPdf.php file in NdkAdvancedCustomizationFields 3.5.

<?php
  //... more code

  $pdf = new PdfCreator();
  
  if (isset($_GET['file'])) {
    $file = $_GET['file'];
    $pdf->createPdf($file);
  }

  //... more code
?>

In this particular snippet, the $_GET['file'] variable is passed directly to the createPdf() function without any sanitization or validation. This allows a malicious user to provide input that includes HTML or JavaScript code which can be executed in the browser when the PDF is displayed.

Exploit

To exploit the vulnerability, an attacker could craft a URL with malicious JavaScript code in the 'file' parameter, like so:

http://www.example.com/createPdf.php?file=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

When the user visits the link, the "file" parameter, which now includes the JavaScript code, will be executed, causing an alert box with the text "XSS" to appear on the user's browser.

Original References

The vulnerability in NDK Design's NdkAdvancedCustomizationFields 3.5. has been acknowledged and reported by security researchers. More in-depth information can be found from the following sources:

1. CVE Entry - This link provides an overview of the CVE-2022-40840 vulnerability.
2. NVD (National Vulnerability Database) Details - This reference contains further details, including CVSS (Common Vulnerability Scoring System) scores and other technical information.

Conclusion

The XSS vulnerability in NdkAdvancedCustomizationFields 3.5., dubbed CVE-2022-40840, poses serious security risks for users and website owners running the affected software. It is crucial to remediate such critical vulnerabilities by patching and updating the software the moment a new, secure version becomes available. In addition, always ensure that user input is sanitized, validated, and escaped properly before use, as this can reduce the overall impact of XSS vulnerabilities and lower the risk of attacks.

Timeline

Published on: 11/02/2022 13:15:00 UTC
Last modified on: 11/03/2022 13:53:00 UTC