| शीर्षक | bdtask Sales ERP Software Latest version as of 2025-10-24 Stored HTML Injection |
|---|
| विवरण | A Stored HTML Injection vulnerability exists in the user profile functionality of Sales ERP Software. The application's input filter for the 'first_name' and 'last_name' parameters is incomplete, failing to sanitize standard HTML tags like <a> or <h1> while blocking <script> tags. An authenticated attacker can inject malicious HTML payloads into these fields. The injected HTML is then stored in the database and rendered on any page displaying the user's name, affecting all users who view the compromised profile. This can be exploited to conduct phishing attacks by embedding deceptive links or to cause website defacement. |
|---|
| स्रोत | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/2 |
|---|
| उपयोगकर्ता | 4m3rr0r (UID 85795) |
|---|
| सबमिशन | 29/10/2025 02:27 PM (8 महीनों पहले) |
|---|
| संयम | 14/11/2025 12:01 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 332468 [Bdtask/CodeCanyon SalesERP तक 20250728 User Profile /edit_profile first_name/last_name क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|