CVE-2024-28142

Name of the Vulnerable Software and Affected Versions No specific software or versions are mentioned in the provided descriptions.

Description The issue is due to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the file name and wildcard character input field. By exploiting the wildcard character feature, attackers can store arbitrary Javascript code which is triggered if the page is viewed afterwards, e.g., by higher privileged users such as admins. This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.