Eigenfocus Cross-Site Scripting Vulnerability in Description Handler

A stored cross-site scripting vulnerability has been identified in Eigenfocus Free Edition versions through 1.4.0. The issue arises in the Description Handler component, where user input in the time entry description is not properly sanitized. This allows for the injection of malicious scripts that are executed in the browsers of users who view the affected entries. The vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the entry. This could lead to session hijacking, account compromise, or other unauthorized actions.

Reproduction

To reproduce this vulnerability, add a new time entry and enter a payload containing HTML, such as an image tag with an error event handler. Once the entry is saved, the injected script will execute when the entry is viewed.

Remediation

Users are advised to upgrade to Eigenfocus version 1.4.1, which addresses this vulnerability by properly escaping HTML in time entry descriptions. The patched version is available on the Eigenfocus GitHub Releases page.