Description

In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.

Related CPE's

a

wems

enterprise_manager

4

References

https://cxsecurity.com/issue/WLB-2020010032

ExploitThird Party Advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5551.php

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-04-28T15:15:07.883

4 years ago

Last modified

2021-05-05T20:25:58.980

4 years ago