CVE-2015-5462

Vulnerability

AxiomSL's Axiom Google Web Toolkit (GWT) module version 9.5.3 and earlier contains an HTML injection vulnerability in the scoping dashboard features [1]. The vulnerability allows remote attackers to inject arbitrary HTML into the dashboard, potentially leading to further attacks.

Exploitation

An attacker can exploit this vulnerability by sending crafted input to the scoping dashboard, likely via HTTP requests. No authentication is mentioned, so it may be exploitable by unauthenticated remote attackers. The exact steps are not detailed in the available references.

Impact

Successful exploitation allows an attacker to inject HTML into the scoping dashboard, which could lead to defacement, phishing, or other client-side attacks if the injected HTML is rendered in a browser context. The impact is limited to HTML injection; no code execution or data breach is explicitly stated.

Mitigation

The vendor has not released a patch for this vulnerability as of the publication date (2019-04-03). Users should upgrade to a version beyond 9.5.3 if available, or apply input validation and output encoding to mitigate the risk. The advisory from Excellium Services (now Thales) provides details [1].