PT-2022-25865 · Xzs · Xzs
Published
2022-10-17
·
Updated
2022-10-20
·
CVE-2022-41431
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
xzs version 3.8.0
Description
The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the
Title text field in the /admin/question/edit API endpoint. This enables the execution of malicious code on the web application.Recommendations
For xzs version 3.8.0, consider disabling the
/admin/question/edit endpoint until a patch is available to prevent exploitation. Restrict access to the Title text field in this endpoint to minimize the risk of arbitrary code execution.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xzs