CVE-2024-23874

Name of the Vulnerable Software and Affected Versions Cups Easy (Purchase & Inventory) version 1.0

Description A Cross-Site Scripting (XSS) issue has been reported due to insufficient encoding of user-controlled inputs. This issue can be exploited via the "/cupseasylive/companymodify.php" API endpoint, specifically through the address1 parameter. Exploitation could allow a remote attacker to send a specially crafted URL to an authenticated user, potentially stealing their session cookie credentials.

Recommendations For Cups Easy (Purchase & Inventory) version 1.0, consider disabling access to the "/cupseasylive/companymodify.php" API endpoint until a patch is available, or restrict the use of the address1 parameter to minimize the risk of exploitation.