Xinyi Chen

**Name of the Vulnerable Software and Affected Versions** Ericsson CodeChecker versions prior to 6.18.2 **Description** A Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the "/CodeCheckerService" API. This issue affects the comments component, enabling attackers to inject malicious scripts. **Recommendations** For Ericsson CodeChecker versions prior to 6.18.2, update to version 6.18.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the comments component of the reports viewer until a patch is applied. Avoid using the "/CodeCheckerService" API with user-supplied input for the comments component until the issue is resolved.