A stored Cross-Site Scripting (XSS) vulnerability in Wolters Kluwer TeamMate+ 35.0.11.0 allows injection of arbitrary JavaScript code due to improper handling of user provided input.
It is possible to insert the following JavaScript code <img src="x" <table="" onerror="alert()"
under:
- TeamStore -> Control -> New Cabinet -> New Folder -> New Control -> Control Description
- TeamStore -> ERM Risk Types -> New Cabinet -> New Folder -> New ERM Risk Types -> Definition
- TeamStore -> Planned Procedures -> New Cabinet -> New Folder -> New Planned Procedures -> Planned Procedures Description
- TeamStore -> Planned Procedures -> New Cabinet -> New Folder -> New Planned Procedures -> Conclusion
- TeamStore -> Planned Procedures -> New Cabinet -> New Folder -> New Planned Procedures -> Record of Work Done
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> Finding Details
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> New Recommendation -> GIA Recommendation
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> New Recommendation -> Management Response
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> New Recommendation -> Management Action