PT-2023-32770 · Unknown · Amazing Little Poll
David Utón Amaya
+1
·
Published
2023-12-13
·
Updated
2023-12-22
·
CVE-2023-6769
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Amazing Little Poll versions 1.3 through 1.4
Description
The issue is a Stored XSS vulnerability that allows a remote attacker to store a malicious JavaScript payload in the "lp admin.php" file using the
question and item parameters. This could lead to malicious JavaScript execution while the page is loading.Recommendations
For versions 1.3 and 1.4, consider disabling access to the "lp admin.php" file or restricting the use of the
question and item parameters until a patch is available. As a temporary workaround, avoid using the question and item parameters in the affected API endpoint.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Amazing Little Poll