CVE-2023-31434

Name of the Vulnerable Software and Affected Versions evasys versions prior to 8.2 Build 2286 evasys versions 9.x prior to 9.0 Build 2401

Description The issue concerns the lack of input validation for certain parameters in evasys, specifically nutzer titel, nutzer vn, nutzer nn, langID, and ONLINEID. This allows authenticated attackers to inject HTML code and XSS payloads in multiple locations.

Recommendations For evasys versions prior to 8.2 Build 2286, update to version 8.2 Build 2286 or later. For evasys versions 9.x prior to 9.0 Build 2401, update to version 9.0 Build 2401 or later. As a temporary workaround, consider restricting access to the user profile and direct links to minimize the risk of exploitation. Avoid using the parameters nutzer titel, nutzer vn, nutzer nn, langID, and ONLINEID in the affected locations until the issue is resolved.