CVE-2019-25316

Name of the Vulnerable Software and Affected Versions GOautodial version 4.0

Description GOautodial version 4.0 has a persistent cross-site scripting issue. Authenticated attackers can inject malicious scripts through the event title parameter. The issue is exploitable via crafted POST requests with XSS payloads sent to the /CreateEvent.php endpoint, allowing for the execution of arbitrary JavaScript in victim browsers.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the event title parameter before processing it in the CreateEvent.php endpoint.