CVE-2019-1010008

Name of the Vulnerable Software and Affected Versions: OpenEnergyMonitor Project Emoncms version 9.8.8

Description: The issue concerns a Cross Site Scripting (XSS) problem. The impact is theoretically low but could potentially enable persistent XSS, allowing a user to embed malicious code. The component affected is the Javascript code execution in the "Name", "Location", "Bio", and "Starting Page" fields on the "My Account" page, specifically in the file Lib/listjs/list.js at line 67. The attack vector involves a victim opening their profile page if a persistent attack is possible.

Recommendations: For OpenEnergyMonitor Project Emoncms version 9.8.8, consider disabling the Javascript code execution in the "Name", "Location", "Bio", and "Starting Page" fields in the "My Account" page as a temporary workaround until a patch is available. Restrict access to the list.js file to minimize the risk of exploitation. Avoid using the fields in the "My Account" page that are vulnerable to XSS until the issue is resolved.