Kozmero

Name of the Vulnerable Software and Affected Versions: OpenWebif (aka e2openplugin-OpenWebif) versions 1.4.7 and earlier Description: The issue allows an attacker to insert JavaScript into the Add Bouquet feature of the Bouquet Editor, specifically through the "bouqueteditor/api/addbouquet?name=" endpoint, leading to Stored XSS. Recommendations: For OpenWebif versions 1.4.7 and earlier, consider disabling the addBouquet feature in the Bouquet Editor until a patch is available. Restrict access to the bouqueteditor/api/addbouquet endpoint to minimize the risk of exploitation. Avoid using the name parameter in the affected API endpoint until the issue is resolved.