CVE-2018-1000629

Name of the Vulnerable Software and Affected Versions Battelle V2I Hub version 2.5.1

Description The issue is caused by improper validation of user-supplied input, allowing for cross-site scripting. A remote attacker could exploit this by using the parameterName or login username parameter in a specially-crafted URL to execute script in a victim's Web browser. This could be done through API endpoints such as "api/SystemConfigActions.php?action=add" or the "index.php" script. An attacker could use this to steal the victim's cookie-based authentication credentials.

Recommendations For Battelle V2I Hub version 2.5.1, consider disabling the api/SystemConfigActions.php?action=add and index.php scripts until a patch is available, and restrict the use of the parameterName and login username parameters to minimize the risk of exploitation.