CVE-2018-9155

Name of the Vulnerable Software and Affected Versions Open-AudIT Professional version 2.1.1

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component. This is demonstrated in the Admin->Logs section with a logs?logs.type= URI and the Manage->Attributes section via the Name (display) field to the attributes/create URI.

Recommendations For Open-AudIT Professional version 2.1.1, consider restricting access to the Admin->Logs and Manage->Attributes sections until a patch is available. As a temporary workaround, avoid using crafted names of components in these sections to minimize the risk of exploitation.