CVE-2022-44956: webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /proj...
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /projects/listprojects.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Security readout for executives and security teams
Plain-English summary
CVE-2022-44956 is a medium-severity stored XSS issue reported in webtareas 2.4p5. A user able to set a project Name could inject browser-executed content that affects another user who views the project list.
Executive priority
Treat this as a moderate-priority application security issue. It is not reported as actively exploited, but it can affect user sessions and trust in the application if untrusted users can edit project data.
Technical view
The flaw is CWE-79 in /projects/listprojects.php. The Name field is reported to accept crafted HTML or script content and later render it in a browser. CVSS 3.1 is 5.4: network reachable, low complexity, low privileges required, user interaction required, changed scope, low confidentiality and integrity impact.
Likely exposure
Exposure is most likely in organizations running webtareas 2.4p5, especially where untrusted or semi-trusted users can create or edit project names.
Exploitation context
The supplied sources do not show CISA KEV listing or active exploitation. Exploitation requires an authenticated or privileged user to submit crafted content and another user to view the affected project list.
Researcher notes
Evidence is limited to the CVE record and the linked GitHub issue. No official patch version, vendor advisory, or exploitation telemetry is included in the supplied bundle, so remediation should start with vendor/project confirmation.
Mitigation direction
Inventory whether webtareas 2.4p5 is deployed.
Check the project or vendor for fixed versions or official guidance.
Restrict project creation and editing to trusted users only.
Ensure project names are validated and output-encoded before rendering.
Consider CSP as defense in depth, not a primary fix.
Validation and detection
Confirm whether /projects/listprojects.php exists in deployed instances.
Review whether the project Name field is stored and rendered unencoded.
In staging, verify harmless markup-like input displays as text only.
Check access controls for users who can create or edit projects.
Review application logs for suspicious project-name changes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
2ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.