Ztree · Ztree · CVE-2015-7348
**Name of the Vulnerable Software and Affected Versions**
zTree versions 3.5.19.1 and earlier
**Description**
A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `id` parameter to "demo/en/asyncData/getNodesForBigData.php" API endpoint.
**Recommendations**
For zTree versions 3.5.19.1 and earlier, avoid using the `id` parameter in the "demo/en/asyncData/getNodesForBigData.php" API endpoint until the issue is resolved.