Sherpa Orchestrator Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Sherpa Orchestrator version 141851. The issue arises in the license management feature, where administrators can add or update licenses. The vulnerability is introduced through the name parameter, allowing the injection of XSS payloads. These payloads are executed when the license expires, potentially leading to the capture of session data from users logging into the application.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user.
Reproduction
To reproduce this vulnerability, an administrator must add a new license containing JavaScript code in the name field. Once the license is added, it will expire after a certain period. When the license expires, the injected JavaScript code will be executed upon the login of users into their personal accounts on the application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.