CVE-2021-43960

Name of the Vulnerable Software and Affected Versions Lorensbergs Connect2 version 3.13.7647.20190

Description The issue concerns an XSS vulnerability that requires administrator privileges to exploit. It is performed through the Wizard editor of the application, where an administrator must enter an XSS payload within specific fields such as Page title, Page Instructions, Text before, Text after, or Text on side box, and then save the changes. The XSS triggers when any user performs a booking for rental items in the booking area of the application. It's noted that the product cannot effectively defend users against a malicious administrator, who may use JavaScript to customize page rendering.

Recommendations For Lorensbergs Connect2 version 3.13.7647.20190, as a temporary workaround, consider restricting access to the Wizard editor to minimize the risk of exploitation. Additionally, avoid using the Page title, Page Instructions, Text before, Text after, or Text on side box fields in the Wizard editor until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.