AVE System Web Client Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in AVE System Web Client version 2.1.131.13992. This issue arises from inadequate input validation, allowing users to inject and execute JavaScript. The vulnerability can be exploited by sending a crafted request that includes malicious JavaScript in a field that does not properly sanitize user input.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a GET request to the 'GetSchedulerProfiles.rails' endpoint. Include a 'filter' parameter with a value that contains an image tag (IMG) using the 'onerror' attribute to execute JavaScript, such as a prompt. The request must also include a valid 'sessionId' and 'schedulerIds' to be processed by the application.