CVE-2023-31434

CVSS v3.1

5.4

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions evasys versions prior to 8.2 Build 2286 evasys versions 9.x prior to 9.0 Build 2401

Description The issue concerns the lack of input validation for certain parameters in evasys, specifically

nutzer titel

nutzer vn

nutzer nn

langID

, and

ONLINEID

. This allows authenticated attackers to inject HTML code and XSS payloads in multiple locations.

Recommendations For evasys versions prior to 8.2 Build 2286, update to version 8.2 Build 2286 or later. For evasys versions 9.x prior to 9.0 Build 2401, update to version 9.0 Build 2401 or later. As a temporary workaround, consider restricting access to the user profile and direct links to minimize the risk of exploitation. Avoid using the parameters

nutzer titel

nutzer vn

nutzer nn

langID

, and

ONLINEID

in the affected locations until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-31434

Affected Products

Evasys

CVE-2023-31434

Weakness Enumeration

Related Identifiers

Affected Products

References · 4