CVE-2024-23865

Name of the Vulnerable Software and Affected Versions Cups Easy (Purchase & Inventory) version 1.0

Description A vulnerability has been reported in Cups Easy (Purchase & Inventory) whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via "/cupseasylive/taxstructurelist.php", in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

Recommendations For version 1.0, as a temporary workaround, consider restricting access to the "/cupseasylive/taxstructurelist.php" endpoint until a patch is available. Additionally, avoid using the description parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.