CentralSquare Community Development Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CentralSquare Community Development version 19.5.7.1. The issue arises in the eTRAKiT platform, which is used by municipalities for managing permit records and inspections. The vulnerability allows user input in various form fields to be rendered without proper output encoding. This flaw was confirmed in at least sixteen commonly used form parameters, including those related to applicants, owners, agents, surveyors, profiles, and project descriptions on custom forms. As a result, malicious scripts can be persistently stored and executed in the browsers of users who later view the affected records, potentially leading to credential theft, unauthorized transactions, or privilege escalation through session compromise.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are stored and executed in the context of the user's browser, posing risks such as credential theft, unauthorized transactions, or elevated privileges through session hijacking.

Remediation

CentralSquare has indicated that it will contact affected organizations with guidance on updating. In the meantime, it is recommended to review stored form fields for any unexpected HTML or JavaScript content.