| Título | aureuserp 51b975a Cross Site Scripting |
|---|
| Descripción | A stored cross-site scripting (XSS) vulnerability exists in the Chatter feature of aureuserp/aureuserp (commit 51b975a) due to unsafe rendering of user-controlled input in the Filament view content-text-entry.blade.php. The subject and body fields of notes/comments are output using Blade’s unescaped syntax ({!! !!}), allowing arbitrary HTML and JavaScript to be injected and persisted. An authenticated attacker who can create or modify Chatter messages can store a malicious payload that will execute in the browser of any user who views the affected record, potentially leading to session compromise, unauthorized actions performed in the victim’s context, and data exfiltration from the application panel. |
|---|
| Fuente | ⚠️ https://github.com/aureuserp/aureuserp/pull/939 |
|---|
| Usuario | kkc73 (UID 89422) |
|---|
| Sumisión | 2026-03-02 09:20 (hace 1 mes) |
|---|
| Moderación | 2026-03-14 16:15 (12 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 351083 [Aureus ERP hasta 1.3.0-BETA2 Chatter Message content-text-entry.blade.php subject/body secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|