CVE-2023-45471

Name of the Vulnerable Software and Affected Versions QAD Search Server versions up to, and including, 1.0.0.315

Description The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient checks on indexes. This allows unauthenticated attackers to create a new index and inject a malicious web script into its name, which will execute whenever a user accesses the search page.

Recommendations For QAD Search Server versions up to, and including, 1.0.0.315, consider disabling the index creation feature until a patch is available to prevent unauthenticated attackers from injecting malicious web scripts. Restrict access to the search page to minimize the risk of exploitation. Avoid using the index name parameter in the affected search endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.