Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: December 29, 2021
OverviewIn “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe.
DetailsIFme has a self-stored XSS vulnerability in Contacts field as it allows loading XSS payloads fetched via an iframe.
PoC DetailsAccess the application by going to http://localhost:3000/users/sign_in and login with admin credentials. Go to http://localhost:3000/care_plan and in Phone Number, enter the xss payload (found in PoC Code section). Refresh the page. We see that stored xss is triggered.
Affected Environmentsv7.22.0 to v7.31.4
PreventionUpdate to version v7.32
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||Low|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|