| Title | 浩辰软件股份有限公司 (Gstarsoft Co., Ltd.) 浩辰CAD看图王 (GstarCAD Viewer Web) V9.4.0 Stored Cross-Site Scripting (XSS) |
|---|
| Description | The web-based version of GstarCAD Viewer V9.4.0 is vulnerable to a stored cross-site scripting (XSS) issue in the file renaming feature.
An attacker can inject malicious JavaScript code into the file name field. When the file list or renamed file is later rendered in the application, the injected code executes in the context of the victim’s browser.
In addition, if a maliciously renamed file is shared via link with other users, anyone opening the shared file will also be exposed to the injected payload, leading to a wider spread of the attack.
This vulnerability can lead to:
• Theft of sensitive user information (cookies, session tokens).
• Unauthorized actions on behalf of logged-in users.
• Persistent compromise of user accounts, since the payload is stored on the server.
• Secondary exploitation through shared links, extending the attack impact beyond the original environment. |
|---|
| User | BlackSpdier (UID 89912) |
|---|
| Submission | 09/11/2025 16:52 (7 months ago) |
|---|
| Moderation | 09/28/2025 20:27 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 326214 [Gstarsoft GstarCAD up to 9.4.0 File Renaming cross site scripting] |
|---|
| Points | 17 |
|---|