5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.0004 Low
EPSS
Percentile
12.3%
The XSS playload injected in the identities to create a new account leads to stored and reflected XSS in identities page and also in the logs page.
1. Go to admin/identities
2.Enter the payload in the username, first name and last name as these fields are not sanatized
3. This is the payload for triggering the XSS "><img> and you can see payload executed in both the accounts page
upon deletion action and the stored XSS will get triggered Logs page.
4. Please refer the POC for the same.
https://drive.google.com/file/d/1glc2cwyrmi_IwicJ5SD5n0Wuhi82AtEW/view?usp=sharing
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.0004 Low
EPSS
Percentile
12.3%