In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page, and this can be abused to perform XSS attacks.
References
Link | Resource |
---|---|
http://vfairs.com | Vendor Advisory |
https://www.huntress.com/blog/zero-day-vulnerabilities-in-popular-event-management-platforms-could-leave-msps-open-to-attack | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-05-26T11:54:59
Updated: 2021-05-26T11:54:59
Reserved: 2020-10-07T00:00:00
Link: CVE-2020-26680
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-05-26T12:15:15.930
Modified: 2021-06-01T13:34:15.163
Link: CVE-2020-26680
JSON object: View
Redhat Information
No data.
CWE