CVE-2018-8903
Description
Open-AudIT Professional 2.1 allows XSS via the Name or Description field on the Credentials screen.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open-AudIT Professional 2.1 fails to sanitize the Name and Description fields on the Credentials screen, enabling stored XSS.
Vulnerability
Open-AudIT Professional 2.1 does not sanitize user input in the Name and Description fields on the Credentials screen, allowing an attacker to inject arbitrary HTML or JavaScript [1][2]. The stored cross-site scripting (XSS) vulnerability is present because the application fails to escape or filter these parameters before storing and later rendering them in the browser [1]. Affected versions include Open-AudIT Professional 2.1 only, as described in the references [1][2].
Exploitation
An attacker can exploit this vulnerability without requiring authentication if combined with cross-site request forgery (CSRF), as the application also lacks CSRF tokens [1]. The attacker crafts a malicious HTML page that submits a forged POST request to the /credentials endpoint containing an XSS payload (e.g., `) in the Name or Description` parameter [1][2]. If the victim is logged into Open-AudIT Professional 2.1 and visits the attacker's page, the malicious request is sent automatically, and the payload is stored [1]. When the victim later visits the Credentials page, the stored script executes in their browser [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session on the Open-AudIT application. This can lead to session hijacking, credential theft, defacement, or further attacks such as stealing sensitive data displayed on the page [2]. The attack does not require any special privileges beyond the victim's existing session, and the stored script persists until the injected credential entry is manually removed [1][2].
Mitigation
As of the available references, no official patch has been published for Open-AudIT Professional 2.1 [1][2]. The vendor should implement input validation and output encoding for the Name and Description fields, as well as add CSRF protection to prevent blind exploitation [1]. Users should consider upgrading to a later version if available, or restrict access to the application's web interface to trusted networks only.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 2.1
- Range: = 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the Name and Description fields of the Credentials screen allows stored XSS."
Attack vector
An attacker who can reach the Credentials screen submits a malicious payload (e.g., `"><img src=x onerror=alert(1337);>`) in the Name or Description field [ref_id=1]. The server does not filter or encode the input, so the payload is stored and later executed in the browser of any victim who visits the credentials list page at `/omk/open-audit/credentials` [ref_id=1]. The attack requires only that the attacker has access to the application's credential creation form; no special network position is needed beyond normal web access.
Affected code
The advisory does not specify exact file paths or functions. The vulnerable functionality is the Credentials screen (Name and Description fields) in Open-AudIT Professional 2.1 [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] states that the root cause is the server not filtering inputs provided by an attacker. The remediation would require the application to sanitize or encode user-supplied data in the Name and Description fields before rendering them in the browser, preventing script execution.
Preconditions
- authAttacker must have access to the Open-AudIT Professional 2.1 web application and be able to reach the Credentials creation form.
- inputThe victim must visit the credentials list page after the payload has been stored.
Reproduction
1. Log into Open-AudIT Professional 2.1. 2. Navigate to Home → Credentials. 3. Enter the payload `"><img src=x onerror=alert(1337);>` in the Name and Description fields. 4. Click Submit. 5. Visit `http://localhost/omk/open-audit/credentials` — the XSS payload executes [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/44354/mitreexploitx_refsource_EXPLOIT-DB
- nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.