CVE-2020-23014

Name of the Vulnerable Software and Affected Versions APfell version 1.4

Description The issue allows for authenticated reflected cross-site scripting (XSS) through the payloadtypes callback function in the "/apiui/command " API endpoint. This enables an attacker to steal remote admin or user sessions and potentially add new users to the administration panel.

Recommendations For APfell version 1.4, consider disabling the payloadtypes callback function as a temporary workaround until a patch is available. Restrict access to the "/apiui/command " API endpoint to minimize the risk of exploitation.