Title: Reflected Cross-Site Scripting (XSS) Vulnerability in dbFront
Type: Vulnerability Type: XSS (Cross Site Scripting) / CWE-80
Description:
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in dbFront, where user-controlled input was not properly escaped when used in certain error messages. This allows the injection of arbitrary JavaScript code into those specific messages.
More details will be provided after affected clients have had time to upgrade.
Impact:
An attacker could exploit this vulnerability to trick a user into executing arbitrary JavaScript in the context of the affected application, potentially leading to session hijacking, phishing attacks, or other client-side impacts.
This is a reflected, not a stored vulnerability, only available to authenticated users.
Affected Versions: dbFront versions before 1.4.1.1263.
Fixed Versions:
This issue has been addressed in:
Mitigation: Users are advised to upgrade to the latest version of dbFront, either 1.4.1 or 1.4.2.
Credits: Discovered and reported by Carlos de la Fuente (Novita) as part of our bug bounty.
