CVE-2024-30952

Name of the Vulnerable Software and Affected Versions PESCMS-TEAM version 2.3.6

Description A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the domain input field under the "/youdoamin/?g=Team&m=Setting&a=action" API endpoint. This enables attackers to potentially manipulate the website's behavior or steal user data.

Recommendations For PESCMS-TEAM version 2.3.6, as a temporary workaround, consider restricting access to the "/youdoamin/?g=Team&m=Setting&a=action" API endpoint to minimize the risk of exploitation. Avoid using the domain input field in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.