| Titre | https://github.com/1Panel-dev/CordysCRM CordysCRM v1.4.1 Stored XSS |
|---|
| Description | The AnnouncementController component in CordysCRM v1.4.1 contains a stored cross-site scripting (XSS) vulnerability. This vulnerability stems from the addAnnouncement() method's failure to adequately validate or encode the content parameter when processing new announcement requests. A remote attacker could use the /announcement/add interface to submit announcement content containing malicious JavaScript code. This announcement could be viewed by any user, allowing an attack on any user on the system. When a designated user (such as an administrator or regular employee) views the announcement, the malicious script will execute in their browser environment. |
|---|
| La source | ⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2229 |
|---|
| Utilisateur | DaytimeHeaven (UID 96977) |
|---|
| Soumission | 13/05/2026 12:37 (il y a 25 jours) |
|---|
| Modérer | 01/06/2026 07:49 (19 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367596 [1Panel-dev CordysCRM jusqu’à 1.6.2 RequestParamTrimConfig.java cross site scripting] |
|---|
| Points | 20 |
|---|