Pixar's Tractor software, versions 2.2 and earlier, contains a stored cross-site scripting vulnerability
Description
Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pixar Tractor 2.2 and earlier contains a stored cross-site scripting vulnerability in the node note field, allowing an attacker to execute JavaScript on authenticated users' browsers.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Pixar Tractor versions 2.2 and earlier. The flaw resides in the node note field, where an authenticated user can input arbitrary JavaScript. This input is stored on the server and later displayed to any authenticated user who views information about the node. The vulnerability is classified as CWE-79 [1].
Exploitation
An attacker must be an authenticated Tractor user with the ability to add notes to nodes. The attacker submits crafted JavaScript (e.g., ``) into the note field. When another authenticated user (or the same user) views the node details, the stored script executes in the context of the victim's browser. No special network position other than normal application access is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of other authenticated users. This can lead to website redirects, session cookie hijacking, social engineering, or other actions that the victim's session permits. Because the script is stored and shared, all users with access to the affected node are at risk [1].
Mitigation
Pixar released Tractor version 2.3 (build 1923604) to address the vulnerability. Affected users should upgrade to this version. No workarounds are documented for earlier releases, and no KEV listing has been published [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Pixar/Tractorv5Range: 2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.kb.cert.org/vuls/id/756913/mitrethird-party-advisoryx_refsource_CERT-VN
- www.securityfocus.com/bid/106209mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.