Retro Cross-Site Scripting Vulnerability in Input Handling Component
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the Retro online platform, which specializes in vintage collections. This issue, present in versions prior to 2.4.7, arises from inadequate sanitization of user input in the input handling component. As a result, attackers can inject malicious JavaScript, potentially leading to session hijacking, credential theft, or the execution of arbitrary scripts in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.
Remediation
Users are advised to upgrade to version 2.4.7 or later, where this vulnerability has been patched. As a temporary measure, a strict Content Security Policy (CSP) can be enabled, and unsafe HTML or JavaScript content can be filtered server-side, although upgrading is strongly recommended.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.