Worklenz Stored Cross-Site Scripting Vulnerability in Project Updates Feature
Vulnerability
A stored cross-site scripting vulnerability has been identified in Worklenz version 2.1.5, specifically within the Project Updates feature. This issue allows attackers to inject malicious scripts into the Updates text field, which are then displayed in the reporting view without adequate sanitization. As a result, harmful JavaScript can be executed in the browsers of users who view the affected page.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the project updates.
Reproduction
To reproduce this vulnerability, navigate to the Project Updates section of a project in Worklenz 2.1.5. Enter a payload, such as an image tag with an error event handler, into the Updates text field. Once the payload is saved, navigate to the Reporting section, where the injected script will be executed, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.