Kiamo Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Kiamo versions prior to 8.4. This vulnerability arises from inadequate output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript, which is executed in the browsers of users viewing the affected pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the page.

Reproduction

The vulnerability can be reproduced by logging into Kiamo as an administrative user and navigating to the administration interface. Once there, inject JavaScript into the 'description' field of a user variable. When the page is viewed, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Kiamo version 8.4 or later, where this vulnerability has been fixed. It is also recommended to limit access to administrative interfaces and monitor for injected data in the affected fields.