| 제목 | Vanderlande OpenAIR - Baggage 360 v7.0.0 Cross-Site Scripting (XSS) Stored |
|---|
| 설명 | Vanderlande OpenAIR Baggage 360 v7.0.0 is vulnerable to stored XSS in the Messages feature. The endpoint POST /api-addons/v1/messages accepts HTML in the message field, stores it, and renders it unescaped. The payload executes when a user opens Bags → [select bag tag] → Interterm Bag Journey Details → Messages. A remote, authenticated low-privileged user can inject a script (e.g., <img src=x onerror=alert(document.cookie)>) into the message field and submit it. Anyone who later opens the affected bag tag will execute the JavaScript. The critical risk is that the Bags screen allows bulk selection. so using "Add Message" an attacker can attach the malicious payload to all selected bag tags in a single request. |
|---|
| 원천 | ⚠️ https://github.com/YasserREED/YasserREED-CVEs/edit/main/Vanderlande-OpenAIR-Baggage360/Stored%20Cross-Site%20Scripting%20(XSS).md |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2025. 09. 24. PM 10:43 (7 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 05. AM 07:54 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327189 [Vanderlande Baggage 360 7.0.0 /api-addons/v1/messages 메시지 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|