CVE-2024-45799

Name of the Vulnerable Software and Affected Versions: FluxCP versions prior to 1.3

Description: A JavaScript injection is possible via vendors/buyers list pages and shop names that are not sanitized, allowing the execution of arbitrary JavaScript code on the user's browser. This can result in the theft of session information for all logged-in FluxCP users.

Recommendations: For versions prior to 1.3, upgrade to release version 1.3 to address the issue. As a temporary workaround, consider restricting access to the vendors/buyers list pages and shop names until the upgrade is applied. Avoid using the vulnerable pages until the issue is resolved.