CVE-2024-23880

Name of the Vulnerable Software and Affected Versions Cups Easy (Purchase & Inventory) version 1.0

Description A Cross-Site Scripting (XSS) issue has been reported, where user-controlled inputs are not sufficiently encoded. This issue can be exploited via the /cupseasylive/taxcodelist.php endpoint, specifically in the description parameter. Exploitation could allow a remote attacker to send a specially crafted URL to an authenticated user, potentially stealing their session cookie credentials.

Recommendations For Cups Easy (Purchase & Inventory) version 1.0, consider validating and encoding user-controlled inputs to prevent XSS attacks. As a temporary workaround, restrict access to the /cupseasylive/taxcodelist.php endpoint to minimize the risk of exploitation. Avoid using the description parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.