CVE-2019-9957

Name of the Vulnerable Software and Affected Versions EspressReport ES (ERES) version 7.0 update 7

Description The issue allows remote attackers to execute malicious JavaScript and inject arbitrary source code into target pages through a stored XSS attack. This is achieved by creating a new user account with a username set to an XSS payload. The stored payload can be triggered by accessing the "Set Security Levels" or "View User/Group Relationships" page. In cases where the attacker lacks permission to create a new user, another vulnerability like CSRF must be exploited first.

Recommendations For EspressReport ES (ERES) version 7.0 update 7, consider disabling the user account creation feature until a patch is available to prevent the exploitation of this issue. Additionally, restrict access to the "Set Security Levels" and "View User/Group Relationships" pages to minimize the risk of stored XSS payload execution.