CVE-2022-37137

Name of the Vulnerable Software and Affected Versions PayMoney version 3.3

Description The issue is related to Stored Cross-Site Scripting (XSS) that occurs during the process of replying to a ticket. This can be achieved by injecting a specially crafted payload into the "Message" field using the description parameter, resulting in Stored XSS. The XSS payload can be triggered after the injection or accessed through the view ticket function.

Recommendations For PayMoney version 3.3, consider disabling the reply ticket function temporarily to prevent exploitation until a patch is available. Restrict access to the "Message" field and the description parameter in the reply ticket function to minimize the risk of Stored XSS injection. Avoid using the description parameter in the affected function until the issue is resolved.