CVE-2018-5411

Name of the Vulnerable Software and Affected Versions Pixar's Tractor software versions 2.2 and earlier

Description The issue concerns a stored cross-site scripting problem in a field where users can add notes to existing nodes. This allows an attacker to insert Javascript code into the note field, which is then saved and displayed to end-users when they request node information. The inserted Javascript can execute on an authenticated user's system, potentially leading to website redirects, session cookie hijacking, or social engineering attacks. Since the malicious code is stored with the node's information, all authenticated users with access to this data are also at risk.

Recommendations For Pixar's Tractor software versions 2.2 and earlier, consider disabling the note field functionality until a patch is available to prevent the insertion of malicious Javascript code. Restrict access to nodes that may contain stored cross-site scripting code to minimize the risk of exploitation. Avoid displaying notes added to nodes by untrusted users to prevent potential Javascript execution on authenticated users' systems. At the moment, there is no information about a newer version that contains a fix for this issue.