CVE-2022-21149: 
PHP vulnerability analysis and mitigation

The vulnerability CVE-2022-21149 affects the packages s-cart/s-cart and s-cart/core before version 6.9. It is a Cross-site Scripting (XSS) vulnerability that was discovered on February 1, 2022, and publicly disclosed on April 26, 2022. The vulnerability allows attackers to steal cookies from victims who visit affected URLs, potentially leading to unauthorized access to user accounts (Snyk Advisory, NVD).

The vulnerability exists in the user permission management functionality of the admin panel. It can be exploited when an attacker injects malicious payload in the Name field while editing roles. The XSS payload gets triggered when users visit specific admin panel URLs including /scadmin/user, /scadmin/role, /scadmin/permission, and /scadmin/checkip. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by Snyk and 3.5 (Low) by NVD, with attack vector being Network, attack complexity Low, and requiring user interaction (Snyk Advisory).

Successful exploitation of this vulnerability can lead to cookie theft, allowing attackers to hijack user sessions and gain unauthorized access to victim accounts. This could potentially give attackers access to administrative functions and sensitive data within the application (Snyk Advisory).

The recommended mitigation is to upgrade s-cart/s-cart and s-cart/core packages to version 6.9 or higher. Until the upgrade can be performed, it's advisable to implement proper input validation and sanitization, especially for administrative functions (Snyk Advisory).