CVE-2019-1000024

Name of the Vulnerable Software and Affected Versions: OPT/NET BV NG-NetMS versions v3.6-2 and earlier

Description: The issue concerns a Cross Site Scripting (XSS) vulnerability. It affects the /js/libs/jstree/demo/filebrowser/index.php page, where the id and operation GET parameters can be used to inject arbitrary JavaScript. This can result in Cross-site scripting. The attack is exploitable via network connectivity.

Recommendations: For OPT/NET BV NG-NetMS versions v3.6-2 and earlier, consider disabling access to the /js/libs/jstree/demo/filebrowser/index.php page until a fix is available. Restrict the use of the id and operation parameters in this page to minimize the risk of exploitation.