CVE-2019-25270

Name of the Vulnerable Software and Affected Versions SOCA Access Control System version 180612

Description The SOCA Access Control System contains a cross-site scripting issue in the senddata POST parameter of the 'logged page.php' file. This allows attackers to inject malicious scripts by sending crafted POST requests, potentially executing arbitrary HTML and script code within a victim’s browser session. The API endpoint involved is 'logged page.php'. The vulnerable parameter is senddata.

Recommendations Apply input validation and output encoding to the senddata POST parameter in the 'logged page.php' file to prevent the injection of malicious scripts. As a temporary workaround, consider restricting access to the 'logged page.php' file to minimize the risk of exploitation.