CVE-2021-27930

Name of the Vulnerable Software and Affected Versions: IrisNext Edition version 9.5.16

Description: The issue allows an authenticated user to inject malicious JavaScript in folder or file names within the application, potentially leading to the execution of malicious code in other users' browsers or the grabbing of their sessions. This is achieved through multiple stored cross-site scripting (XSS) vulnerabilities, where arbitrary web script or HTML can be injected via a document or folder name that is mishandled when rendering certain forms.

Recommendations: For IrisNext Edition version 9.5.16, consider restricting the ability to inject arbitrary web script or HTML via document or folder names as a temporary workaround until a patch is available. Avoid using the application's features that allow folder or file name modifications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.