Genealogy Application Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Genealogy PHP application, affecting all versions prior to 4.4.0. This vulnerability allows authenticated attackers to inject arbitrary JavaScript that is executed in the context of another user's session. The impact of this vulnerability includes session hijacking, data theft, and manipulation of the user interface.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in another user's browser session, potentially leading to session hijacking, data theft, and manipulation of the user interface.

Reproduction

To reproduce this vulnerability, an authenticated user can inject JavaScript into a field that does not properly sanitize user input. Once the content is saved, the injected script will execute when the data is viewed by another user.

Remediation

Users are advised to upgrade to version 4.4.0 or later, where this vulnerability has been fixed. For those unable to upgrade immediately, it is recommended to sanitize or escape user-generated content before displaying it, and to review file storage settings to prevent unauthorized access to sensitive files.