Scripting tag chars < > not filtered in input fields could cause Cross-Site Scripting (XSS)

Vulnerability

An input field in the web UI of GateManager is vulnerable to cross-site scripting (XSS) because it does not properly sanitize or escape user-supplied input. An authenticated attacker can submit script tags through this field, which are then executed in the context of other users' sessions. This issue affects all versions of GateManager prior to 9.3.

Exploitation

An attacker must be authenticated to the GateManager web interface. The attacker enters malicious script code (e.g., ``) into the vulnerable input field and submits it. When another user views the page containing that field, the script executes in their browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement, or redirection to malicious sites. The attack does not directly compromise the server itself but can affect users of the application [1].

Mitigation

The vulnerability is fixed in GateManager version 9.3. Users should upgrade to version 9.3 or later. No workarounds have been publicly disclosed in the available references [1].