Centraleyezer: Stored XSS using HTML Entities — CVE-2019–12299
1 min readNov 12, 2019
Sandline Centraleyezer (On Premises) allows Stored XSS using HTML entities in the name field of the Category section.
I could bypass the restrictions using HTML Entities > <, the Stored XSS only triggers when editing the category.
This vulnerability was reported as fixed.
References:
https://seclists.org/fulldisclosure/2019/Nov/8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12299