Weaver E-Mobile Mobile Management Platform Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Weaver E-Mobile Mobile Management Platform, affecting versions through 20250813. The issue arises from the 'gohome' parameter, which is not properly sanitized before being displayed on the front end. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, append a malicious payload to the 'gohome' parameter in the URL. The XSS payload will be executed on the login page, taking advantage of the lack of input filtering for quotation marks and semicolons.