CVE-2022-39813

Name of the Vulnerable Software and Affected Versions Italtel NetMatch-S CI version 5.2.0-20211008

Description The issue allows for Multiple Reflected/Stored XSS, enabling an attacker to inject arbitrary JavaScript. This can be achieved via the "j security check" endpoint under NMSCIWebGui, using the j username parameter, or via the "actloglineview.jsp" endpoint under NMSCIWebGui, using the name or actLine parameters. The injected payload would be triggered every time an authenticated user browses the page containing it.

Recommendations For Italtel NetMatch-S CI version 5.2.0-20211008, consider restricting access to the "j security check" and "actloglineview.jsp" endpoints under NMSCIWebGui until a patch is available. As a temporary workaround, avoid using the j username, name, and actLine parameters in the affected endpoints to minimize the risk of exploitation.