Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:47173
HistoryMay 24, 2024 - 11:51 a.m.

Cross-site Scripting (XSS)

2024-05-2411:51:23
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
1
cross-site scripting
vulnerability
sanitization
search suggestion
unauthorized code execution
user sessions
malicious actions
attackers

6.8 Medium

AI Score

Confidence

High

ezsystems/ezfind-ls is vulnerable to Cross-site Scripting (XSS). The vulnerability is caused due to the lack of proper sanitization of the $search_extras.spellcheck_collation variable in the β€œDid you mean…?” spell check/search suggestion feature. This may lead to unauthorized code execution, compromising user sessions and enabling various malicious actions by attackers.

6.8 Medium

AI Score

Confidence

High