Centraleyezer: Stored XSS using HTML Entities — CVE-2019–12299

Sandline Centraleyezer (On Premises) allows Stored XSS using HTML entities in the name field of the Category section.

I could bypass the restrictions using HTML Entities &gt &lt, the Stored XSS only triggers when editing the category.

This vulnerability was reported as fixed.

References:

https://seclists.org/fulldisclosure/2019/Nov/8

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12299