CVE-2020-25491

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in 6Kare Emakin version 5.0.341.0. The DisplayName field in the profile editing endpoint /rpc/membership/setProfile is not properly sanitized. When a malicious payload is stored, it is executed in the context of the browser when the Activity Stream page renders [1].

Exploitation

An authenticated attacker can exploit this vulnerability by sending a POST request to /rpc/membership/setProfile with a crafted ` payload in the DisplayName` field [1]. The payload is stored and automatically executed when any user views the Activity Stream page, requiring no additional user interaction.

Impact

Successful exploitation allows arbitrary JavaScript execution in the browsers of users viewing the Activity Stream. This can lead to session hijacking, credential theft, and other client-side attacks, compromising the confidentiality and integrity of user sessions [1].

Mitigation

As of the latest available information, no official patch has been released for CVE-2020-25491 [1]. Organizations should implement input validation and output encoding for the DisplayName field, and consider upgrading to a patched version if one becomes available.