Acumos Design Studio cross site scripting
Description
A vulnerability, which was classified as problematic, was found in Acumos Design Studio up to 2.0.7. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The name of the patch is 0df8a5e8722188744973168648e4c74c69ce67fd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-249420.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Acumos Design Studio versions up to 2.0.7 contain a cross-site scripting vulnerability in an unknown function that can be exploited remotely.
Vulnerability
Acumos Design Studio versions up to 2.0.7 are affected by a problematic cross-site scripting vulnerability [1]. The vulnerability exists in an unknown function within the DesignStudioCeController class, where the solutionId parameter is not sanitized before being used in methods such as saveCompositeSolution, addNode, and readCompositeSolutionGraph [1]. The manipulation leads to reflected XSS, and the vulnerability can be triggered remotely. Versions 2.0.0 through 2.0.7 are affected.
Exploitation
An attacker can launch the attack remotely without requiring authentication or user interaction [1]. The attack is performed by crafting a malicious request that includes a solutionId parameter containing JavaScript code. The unsanitized input is passed to various methods, allowing the script to be reflected back to the user or executed in the context of the application.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session [1]. This can lead to information disclosure, session hijacking, or other client-side attacks within the Design Studio application [2].
Mitigation
The vulnerability is fixed in Acumos Design Studio version 2.0.8, released on the same day as the fix [1][2]. The patch, commit 0df8a5e8722188744973168648e4c74c69ce67fd, introduces input sanitization using SanitizeUtils.sanitize() on the solutionId parameter [1]. Users are strongly recommended to upgrade to version 2.0.8 or later [2]. There is no known workaround for versions prior to 2.0.8.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 2.0.7+ 1 more
- (no CPE)range: <= 2.0.7
- (no CPE)range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/acumos/design-studio/commit/0df8a5e8722188744973168648e4c74c69ce67fdmitrepatch
- github.com/acumos/design-studio/releases/tag/2.0.8mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entry
News mentions
0No linked articles in our index yet.