| Título | https://github.com/1Panel-dev/CordysCRM CordysCRM v1.4.1 Stored XSS |
|---|
| Descrição | The AnnouncementController component in CordysCRM v1.4.1 contains a stored cross-site scripting (XSS) vulnerability. This vulnerability stems from the addAnnouncement() method's failure to adequately validate or encode the content parameter when processing new announcement requests. A remote attacker could use the /announcement/add interface to submit announcement content containing malicious JavaScript code. This announcement could be viewed by any user, allowing an attack on any user on the system. When a designated user (such as an administrator or regular employee) views the announcement, the malicious script will execute in their browser environment. |
|---|
| Fonte | ⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2229 |
|---|
| Utilizador | DaytimeHeaven (UID 96977) |
|---|
| Submissão | 13/05/2026 12h37 (há 24 dias) |
|---|
| Moderação | 01/06/2026 07h49 (19 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 367596 [1Panel-dev CordysCRM até 1.6.2 RequestParamTrimConfig.java Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|