CVE-2022-46888

Name of the Vulnerable Software and Affected Versions NexusPHP versions prior to 1.7.33

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to reflective cross-site scripting (XSS) attacks. This can be achieved by injecting malicious input into specific parameters in various PHP files, including the secret parameter in "/login.php", the q parameter in "/user-ban-log.php", the query parameter in "/log.php", the text parameter in "/moresmiles.php", the q parameter in "myhr.php", or the id parameter in "/viewrequests.php".

Recommendations For NexusPHP versions prior to 1.7.33, update to version 1.7.33 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "/login.php", "/user-ban-log.php", "/log.php", "/moresmiles.php", "myhr.php", and "/viewrequests.php", and avoid using the vulnerable parameters secret, q, query, text, and id until the issue is resolved.