CVE-2021-41917

Name of the Vulnerable Software and Affected Versions webTareas versions 2.4 and earlier

Description The issue allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect sanitization of user-supplied data. This can achieve a Stored Cross-Site Scripting attack against the platform users and administrators. The affected endpoint is "/clients/editclient.php", specifically the HTTP POST cn parameter.

Recommendations For webTareas versions 2.4 and earlier, consider disabling the editing functionality in the clients section until a patch is available. Restrict access to the "/clients/editclient.php" endpoint to minimize the risk of exploitation. Avoid using the cn parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.