Cross-site Scripting (XSS) - Stored in unilogies/bumsys
Description
A stored cross-site scripting vulnerability exists in unilogies/bumsys prior to v2.0.1, allowing an attacker to inject arbitrary JavaScript into the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting vulnerability exists in unilogies/bumsys prior to v2.0.1, allowing an attacker to inject arbitrary JavaScript into the application.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the unilogies/bumsys project, a simple business management system. The bug affects all versions prior to v2.0.1 [1]. The vulnerability is present in the application's input handling, where user-supplied data is not properly sanitized before being stored and later rendered in the browser, enabling malicious script injection.
Exploitation
An attacker with the ability to submit data to the application (such as through user registration, profile updates, or form submissions) can craft a payload containing JavaScript code. The attacker does not need special privileges beyond normal application access. The injected script will be stored on the server and executed in the context of any user who views the affected page, including administrators [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the application's security context. This can lead to session hijacking, data theft, defacement, or phishing attacks. The impact is moderate, as the attacker gains the same privileges as the victim user [2].
Mitigation
The vulnerability has been fixed in version 2.0.1 of bumsys. Users should upgrade to this version immediately. The fix is referenced in the commit at the project's GitHub repository [1]. No workaround is available for older versions.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.0.1+ 1 more
- (no CPE)range: <2.0.1
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user-supplied input before rendering it in the web interface, leading to cross-site scripting."
Attack vector
An attacker can inject malicious JavaScript code into fields that are stored and later displayed by the application. When another user views the content containing the injected script, the code is executed in their browser. This vulnerability is a stored cross-site scripting (XSS) flaw [CWE-79].
Affected code
The vulnerability exists in the GitHub repository unilogies/bumsys prior to v2.0.1. The specific files or functions responsible for the lack of input sanitization are not detailed in the provided information.
What the fix does
The provided patch is a GitHub Actions workflow file for CI testing and does not contain any application code changes. Therefore, the patch does not address the vulnerability. The advisory does not specify a remediation or fix.
Preconditions
- inputThe attacker must be able to input data into a field that is later displayed by the application.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.