CVE-2018-19089

Name of the Vulnerable Software and Affected Versions tianti version 2.3

Description The issue concerns a stored XSS in the userlist module. This occurs via the name parameter in the "tianti-module-admin/user/ajax/save role" endpoint, which is mishandled in the tianti-module-adminsrcmainwebappWEB-INFviewsuseruser list.jsp file.

Recommendations For tianti version 2.3, consider restricting access to the userlist module until a patch is available. As a temporary workaround, avoid using the name parameter in the "tianti-module-admin/user/ajax/save role" endpoint to minimize the risk of exploitation.