Typesetter CMS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Typesetter CMS versions 5.1 and prior. This issue resides within the administrative interface, specifically in the Tools Status feature. The vulnerability arises because the path parameter is echoed in the HTML response without adequate output encoding, allowing authenticated attackers to inject crafted input containing HTML or JavaScript. This injection could lead to the execution of arbitrary scripts in the context of the affected user's browser session.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of the user's session, potentially leading to session hijacking or unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the Tools Status functionality with a crafted path parameter that includes HTML or JavaScript. The injected content will be reflected in the response, executing the script in the user's browser.