CVE-2024-23857

Name of the Vulnerable Software and Affected Versions Cups Easy (Purchase & Inventory) version 1.0

Description A Cross-Site Scripting (XSS) issue has been reported due to insufficient encoding of user-controlled inputs. This issue can be exploited via the /cupseasylive/grnlinecreate.php endpoint, specifically in the batchno parameter. Exploitation could allow a remote attacker to send a specially crafted URL to an authenticated user, potentially stealing their session cookie credentials.

Recommendations For version 1.0, as a temporary workaround, consider restricting access to the /cupseasylive/grnlinecreate.php endpoint or disabling the use of the batchno parameter until a patch is available. Additionally, ensure proper input validation and encoding to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.