CVE-2022-34834

Vulnerability

VERMEG AgileReporter 21.3 contains a stored cross-site scripting (XSS) vulnerability in the Add Comment action within the Activity log. The application does not sanitize user input before storing and later rendering it, allowing an attacker to inject arbitrary JavaScript. This issue affects AgileReporter version 21.3.[1][2]

Exploitation

An authenticated user with sufficient privileges can inject a malicious payload, such as ``, into the Message field of a broadcast message or comment. When an administrator (or any target user) views the activity log, the payload executes in their browser session. According to the reference, only an admin user can inject the payload, but the execution occurs whenever any user with access to the affected page loads it.[2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the targeted user's browser. This can lead to session hijacking, exposure of sensitive data, or privilege escalation by performing actions on behalf of the victim user. The attacker can potentially gain higher privileges within the application.[1][2]

Mitigation

As of the publication date (2023-10-27), no official patch had been released. The vendor's website provides general product information but does not detail a security update for this specific CVE.[1] Users should monitor vendor communications for a fix. In the interim, restricting administrative access to trusted users and implementing input validation and output encoding for user-supplied data can reduce risk.