CVE-2019-7173

Name of the Vulnerable Software and Affected Versions Croogo versions prior to 3.0.7

Description A stored-self XSS issue allows an attacker to execute HTML or JavaScript code in a vulnerable Title field to the "/admin/file-manager/attachments/edit/4" API endpoint. This enables the attacker to inject malicious code, potentially leading to unauthorized actions or data exposure.

Recommendations For Croogo versions prior to 3.0.7, update to version 3.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/file-manager/attachments/edit/4" endpoint or sanitizing user input in the Title field to prevent code injection.