CVE-2022-32118

MEDIUM

Arox School ERP Pro 1.0 - Cross-Site Scripting via dispatchcategory Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-32118. PoCs published by JC175.

AI-analyzed exploit summary The repository provides functional proof-of-concept payloads for stored and reflected XSS vulnerabilities in Arox School ERP Pro. It includes specific URLs and parameters that can be manipulated to execute arbitrary JavaScript, demonstrating the vulnerability in multiple pages of the application.

Description

Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.

Exploits (1)

nomisec WORKING POC 1 stars

by JC175 · poc

https://github.com/JC175/CVE-2022-32118

View Code ZIP pw:eip

The repository provides functional proof-of-concept payloads for stored and reflected XSS vulnerabilities in Arox School ERP Pro. It includes specific URLs and parameters that can be manipulated to execute arbitrary JavaScript, demonstrating the vulnerability in multiple pages of the application.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Arox School ERP Pro

No auth needed

Prerequisites: Access to the vulnerable Arox School ERP Pro application

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.arox.in

Exploit, Third Party Advisory x_refsource_misc

https://github.com/JC175/CVE-2022-32118

Scores

CVSS v3 6.1

EPSS 0.0095

EPSS Percentile 56.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

arox/school_erp_pro 1.0

Published Jul 15, 2022

Tracked Since Feb 18, 2026