Skip to content

Javascript Injection in Vending Info/Buyers Info Module

Moderate
Akkarinage published GHSA-xvqv-25vf-88g4 Sep 16, 2024

Package

No package listed

Affected versions

< 1.3

Patched versions

None

Description

Summary

A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized.
This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages.

Impact

All logged in to fluxcp users can have their session info stolen.

Severity

Moderate

CVE ID

CVE-2024-45799

Weaknesses

No CWEs

Credits