Submeter #769827: aureuserp 51b975a Cross Site Scriptinginformação

Títuloaureuserp 51b975a Cross Site Scripting
DescriçãoA stored cross-site scripting (XSS) vulnerability exists in the Chatter feature of aureuserp/aureuserp (commit 51b975a) due to unsafe rendering of user-controlled input in the Filament view content-text-entry.blade.php. The subject and body fields of notes/comments are output using Blade’s unescaped syntax ({!! !!}), allowing arbitrary HTML and JavaScript to be injected and persisted. An authenticated attacker who can create or modify Chatter messages can store a malicious payload that will execute in the browser of any user who views the affected record, potentially leading to session compromise, unauthorized actions performed in the victim’s context, and data exfiltration from the application panel.
Fonte⚠️ https://github.com/aureuserp/aureuserp/pull/939
Utilizador
 kkc73 (UID 89422)
Submissão02/03/2026 09h20 (há 1 mês)
Moderação14/03/2026 16h15 (12 days later)
EstadoAceite
Entrada VulDB351083 [Aureus ERP até 1.3.0-BETA2 Chatter Message content-text-entry.blade.php subject/body Script de Site Cruzado]
Pontos20

VoltarVisão GeralPróximo

Do you know our Splunk app?

Download it now for free!