Wocu Monitoring stored Cross-Site Scripting (XSS)
Wocu Monitoring, versions 0.27 and higher, but earlier than 48.2.
INCIBE has coordinated the publication of a vulnerability in Wocu Monitoring, with the internal code INCIBE-2022-0593, which has been discovered by David Cámara Galindo, from Telefónica Tech.
CVE-2021-4035 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H.
This vulnerability has been solved by A3Sec in the 48.2 version released on 03/12/2021. All affected client versions were patched from 03/12/2021 to 05/12/2021.
The text editor TinyMCE is susceptible to XSS by not validating the received content.
All content has been sanitized from the server side, avoiding XSS injections.
A stored Cross-Site Scripting (XSS) have been identified in the report creation due to an obsolete version of TinyMCE editor.
In order to exploit this vulnerability the attackers needs an account with enough privileges to view and edit reports.
CWE-79: improper neutralization of input during web page generation (Cross-Site Scripting).
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.