Motivian Content Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Motivian Content Management System version 41.0.0. This vulnerability allows remote attackers to execute arbitrary JavaScript in the context of the user's browser. The issue arises in the Marketing/Forms, Marketing/Offers, and Content/Pages components, where malicious scripts can be injected into various fields, such as form names and page headers.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the victim's browser, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, navigate to the Marketing/Forms section and create a new form. Insert a script, such as an alert, into the Name field and save the form. The injected script will execute when the form is accessed.

Remediation

Users are advised to sanitize all user inputs and escape outputs before rendering. Implementing a Content Security Policy (CSP) header can also help mitigate XSS risks.