sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" - "Profile Picture Upload" allowing theft of the user's personal information. This issue has been patched in 1.1.2. There are no known workarounds.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
| Link | Tags |
|---|---|
| https://github.com/momofoolish/sra-admin/security/advisories/GHSA-v7r9-qx74-h3v8 | third party advisory exploit |