Cyber Resilience

CVE-2022-29005

Medium

Published: 23 May 2022

Published
23 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0737 91.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29005 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Phpgurukul Online Birth Certificate System. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-29005 is a set of reflected cross-site scripting flaws (CWE-79) located in the /obcs/user/profile.php component of Online Birth Certificate System version 1.2. Untrusted input supplied through the fname and lname parameters is rendered without sanitization or output encoding, allowing an attacker to supply HTML or JavaScript payloads that execute in the browser of any user who subsequently views the affected profile page. The vulnerability received a CVSS 3.1 score of 6.1.

An unauthenticated remote attacker can craft a malicious link or form submission that injects the payload; when a victim follows the link or loads the profile, the script runs in the victim's context with the changed scope noted in the CVSS vector. Successful exploitation can result in theft of session tokens, display of arbitrary content, or limited actions on behalf of the victim within the application.

The associated EPSS score started low after disclosure but rose materially to a peak of 0.2212 on 2025-12-11 before receding to its current value of 0.0737, indicating a measurable increase in observed exploitation interest well after the initial publication date. No vendor-supplied patches or official mitigation guidance appear among the listed references.

EU & UK References

Vulnerability details

Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpgurukul
online birth certificate system
1.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References