Altium Workflow Engine Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Altium Workflow Engine. This issue arises from inadequate server-side input sanitization in the workflow form submission APIs. As a result, a regular authenticated user can inject arbitrary JavaScript into the workflow data. When an administrator accesses the affected workflow, the injected script executes in the administrator's browser context. This exploitation can lead to privilege escalation, allowing the creation of new administrator accounts, theft of session tokens, and execution of administrative actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected JavaScript executing in the context of an administrator's browser. This could lead to privilege escalation, including the creation of new administrator accounts, theft of session tokens, and the ability to perform administrative actions.