Name of the Vulnerable Software and Affected Versions:

The product name cannot be determined. (affected versions not specified)

Description:

A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application. The vulnerability resides in the “Tags” input field on the `/s/ajax?action=lead:addLeadTags` endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session. A Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, and manipulate the web page content.

Recommendations:

At the moment, there is no information about a newer version that contains a fix for this vulnerability.