CVE-2022-1457: 
PHP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to version 2022.04. The vulnerability was assigned CVE-2022-1457 and was disclosed on April 25, 2022 (NVD, CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, while huntr.dev assessed it with a CVSS v3.0 score of 9.0 (Critical). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires network access, low attack complexity, low privileges, and user interaction (NVD).

Cross-site scripting attacks through this vulnerability can have severe consequences. Code injected into the vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account (NVD).

The vulnerability has been patched in FacturaScripts version 2022.04. Users should upgrade to this version or later to mitigate the risk. The fix involves implementing proper HTML sanitization of user input in the affected parameters (GitHub).