Centraleyezer: Stored XSS using HTML Entities — CVE-2019–12299

Omayr Zanata
Nov 12, 2019 · 1 min read

Sandline Centraleyezer (On Premises) allows Stored XSS using HTML entities in the name field of the Category section.

I could bypass the restrictions using HTML Entities &gt &lt, the Stored XSS only triggers when editing the category.

This vulnerability was reported as fixed.

References:

https://seclists.org/fulldisclosure/2019/Nov/8

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12299

Written by

Can’t turn my brain off, you know. It’s me.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade