CVE-2023-4495

Name of the Vulnerable Software and Affected Versions Easy Chat Server versions 3.1 and earlier

Description The issue arises from insufficient encryption of user-controlled inputs, leading to a Cross-Site Scripting (XSS) vulnerability. This vulnerability is stored via the "POST" method at the /registresult.htm endpoint, specifically in the Resume parameter. The XSS is loaded from /register.ghp.

Recommendations For Easy Chat Server versions 3.1 and earlier, consider disabling the Resume parameter in the /registresult.htm endpoint as a temporary workaround until a patch is available. Restrict access to the /register.ghp page to minimize the risk of exploitation. Avoid using the Resume parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.