CVE-2019-15532

Name of the Vulnerable Software and Affected Versions CyberChef versions prior to 8.31.3

Description The issue allows for Cross-Site Scripting (XSS) in the TextEncodingBruteForce.mjs operation. Specifically, in the Text Encoding Brute Force function, table rows are created by concatenating the value variable unsanitized in the HTML code. If the value variable is controlled by user input, it allows attackers to execute arbitrary JavaScript in a victim's browser.

Recommendations Upgrade to version 8.31.3 or later. As a temporary workaround, consider restricting the use of the Text Encoding Brute Force function until a patch is applied. Avoid using unsanitized user input in the value variable to minimize the risk of exploitation.