Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the ‘Description/biography’ of a member.
https://drive.google.com/file/d/1w5AmyBEOxAmtQ0T3uGKAB3o9w3ihNRAj/view Add a user to a team, then use in the ‘Description/biography’ field.
CPE | Name | Operator | Version |
---|---|---|---|
team-members | lt | 5.0.4 |