CVE-2023-23326

Name of the Vulnerable Software and Affected Versions AvantFAX version 3.3.7

Description A Stored Cross-Site Scripting (XSS) issue exists, allowing an authenticated low-privilege user to inject arbitrary Javascript into their e-mail address. This code is executed when an administrator logs in to view the admin dashboard, potentially resulting in the theft of an administrator's session cookie and session hijacking.

Recommendations For AvantFAX version 3.3.7, consider restricting access to the admin dashboard until a fix is available, and avoid using the e-mail address field for any sensitive operations. As a temporary workaround, consider validating and sanitizing user-input data, especially in the e-mail address field, to prevent malicious Javascript injection.