Name of the Vulnerable Software and Affected Versions:

appRain CMF version 4.0.5

Description:

A stored authenticated cross-site scripting (XSS) issue exists due to insufficient validation of user-supplied data. The vulnerability is triggered through the `data[Addon][layouts]` and `data[Addon][layouts except]` parameters in the `/apprain/developer/addons/update/tablesorter` API endpoint.

Recommendations:

Ensure proper validation and sanitization of user input for the `data[Addon][layouts]` and `data[Addon][layouts except]` parameters.

As a temporary workaround, restrict access to the `/apprain/developer/addons/update/tablesorter` API endpoint.