SysReptor Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SysReptor, a pentest reporting platform, affecting versions through 2025.96. This vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading harmful JavaScript files via the web interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious files are executed in the context of other users.

Remediation

Users can update to SysReptor version 2025.102 to address this vulnerability. After updating, SysReptor admins should review their systems for any uploaded malicious files, particularly those ending in .js, .html, or .htm. This can be done through the Django admin interface by checking the 'uploaded asset', 'uploaded image', 'uploaded project file', 'uploaded template image', 'uploaded user notebook file', and 'uploaded user notebook image' sections.