CVE-2019-20483

Name of the Vulnerable Software and Affected Versions Viki Vera version 4.9.1.26180

Description An issue was discovered where an attacker could set a user's last name to an XSS Payload. This allows the attacker to read another user's cookie and use it to login to the application.

Recommendations For Viki Vera version 4.9.1.26180, consider restricting the ability to set user last names to trusted users or validating input to prevent XSS Payloads until a patch is available. As a temporary workaround, restrict access to sensitive user information to minimize the risk of exploitation.