adata Software Employee Portal Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the bulletin board component of adata Software GmbH's Employee Portal, specifically in version 2.15.2.0. This vulnerability allows remote authenticated users to execute arbitrary JavaScript in the browsers of other users. The issue arises from manipulating the 'Inhalt' parameter in requests to create or edit messages on the bulletin board.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected bulletin board post.

Reproduction

To reproduce this vulnerability, send a request to either the 'CreateNachricht' or 'EditNachricht' endpoint, including a script payload in the 'Inhalt' parameter. Once the message is saved, any user who views the details of that message will trigger the execution of the injected script.

Remediation

Users can update to adata Software Employee Portal version 2.16.1 or later, where this vulnerability has been addressed.