Vulnerability Description: HTML Injection - Stored - CWE-80
Software Version: 7.6.04
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-34398
CVSS:
Severity:
Credits: Gabriele Duchi, Marco Ventura, Giulio Pellegrini, Massimiliano Brolli
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session.
Security Impact
An authenticated attacker can store arbitrary HTML code in order to corrupt the web page, for example by creating phishing sections to extrapolate the victims' credentials.