CVE-2023-4497

Name of the Vulnerable Software and Affected Versions Easy Chat Server versions 3.1 and earlier

Description The issue arises from insufficient encryption of user-controlled inputs, leading to a Cross-Site Scripting (XSS) vulnerability. This vulnerability is stored via the "/registresult.htm" API endpoint using the POST method, specifically in the Icon parameter. The XSS is loaded from "/users.ghp".

Recommendations For Easy Chat Server versions 3.1 and earlier, as a temporary workaround, consider restricting access to the /registresult.htm API endpoint and avoiding use of the Icon parameter until a patch is available. Additionally, restrict access to the /users.ghp page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.