CVE-2023-26846
Vendor
Affected Versions
Version 0.9.7 and earlier.
Vulnerability
Cross-Site Scripting (XSS) - CWE: 79
Description
A stored Cross-Site Scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the city parameter at opencats/index.php?m=candidates.
Remediation
Upgrade to version 0.9.7.2.
Disclosure Timeline
- February 14, 2023: I've notified vendor.
- February 15, 2023: Vendor confirmed.
- March 7, 2023: Vendor fixed this issue in version 0.9.7.2.
- April 8, 2023: Public disclosure.
CVE Reference
The MITRE has assigned the name CVE-2023-26846 to this vulnerability.
Credits
Vulnerability discovered by Davide Bernacchia.