HortusFox Web Cross-Site Scripting Vulnerability in Admin User Creation Endpoint
Vulnerability
A reflected cross-site scripting vulnerability has been identified in HortusFox Web version 4.4. The issue arises in the admin user creation endpoint, specifically within the 'email' parameter. When an administrator submits a crafted email value that triggers a validation error, the unsanitized input is echoed back in an error message. This allows for the execution of arbitrary JavaScript in the context of the administrator's browser.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, log in as an administrator and navigate to the user creation form. Inject a script payload into the email field, such as a script tag containing JavaScript code, and submit the form. This will trigger a validation error, causing the injected script to be executed in the admin's browser.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.