| tiêu đề | aureuserp 51b975a Cross Site Scripting |
|---|
| Mô tả | A stored cross-site scripting (XSS) vulnerability exists in the Chatter feature of aureuserp/aureuserp (commit 51b975a) due to unsafe rendering of user-controlled input in the Filament view content-text-entry.blade.php. The subject and body fields of notes/comments are output using Blade’s unescaped syntax ({!! !!}), allowing arbitrary HTML and JavaScript to be injected and persisted. An authenticated attacker who can create or modify Chatter messages can store a malicious payload that will execute in the browser of any user who views the affected record, potentially leading to session compromise, unauthorized actions performed in the victim’s context, and data exfiltration from the application panel. |
|---|
| Nguồn | ⚠️ https://github.com/aureuserp/aureuserp/pull/939 |
|---|
| Người dùng | kkc73 (UID 89422) |
|---|
| Đệ trình | 02/03/2026 09:20 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 14/03/2026 16:15 (12 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 351083 [Aureus ERP đến 1.3.0-BETA2 Chatter Message content-text-entry.blade.php subject/body Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|