| Titel | https://github.com/1Panel-dev/CordysCRM CordysCRM v1.4.1 Stored XSS |
|---|
| Beschreibung | The AnnouncementController component in CordysCRM v1.4.1 contains a stored cross-site scripting (XSS) vulnerability. This vulnerability stems from the addAnnouncement() method's failure to adequately validate or encode the content parameter when processing new announcement requests. A remote attacker could use the /announcement/add interface to submit announcement content containing malicious JavaScript code. This announcement could be viewed by any user, allowing an attack on any user on the system. When a designated user (such as an administrator or regular employee) views the announcement, the malicious script will execute in their browser environment. |
|---|
| Quelle | ⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2229 |
|---|
| Benutzer | DaytimeHeaven (UID 96977) |
|---|
| Einreichung | 13.05.2026 12:37 (vor 22 Tagen) |
|---|
| Moderieren | 01.06.2026 07:49 (19 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 367596 [1Panel-dev CordysCRM bis 1.6.2 RequestParamTrimConfig.java Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|