CVE-2023-45138

Name of the Vulnerable Software and Affected Versions Change Request versions 0.11 through 1.9.2

Description The issue allows a user without specific rights to perform script injection and remote code execution by inserting an appropriate title when creating a new Change Request. This is particularly critical as Change Request is intended for use by users without particular rights.

Recommendations For versions prior to 1.9.2, upgrade to Change Request 1.9.2 to resolve the issue. As a temporary workaround for versions prior to 1.9.2, edit the document ChangeRequest.Code.ChangeRequestSheet and perform the same change as in the fix commit.