Headline
CVE-2023-33438: CVEs/CVE-2023-33438/README.md at main · justas-dee/CVEs
A stored Cross-site scripting (XSS) vulnerability in Wolters Kluwer TeamMate+ 35.0.11.0 allows remote attackers to inject arbitrary web script or HTML.
Stored Cross-Site Scripting Vulnerability in Wolters Kluwer TeamMate+ (CVE-2023-33438)****Summary
A stored Cross-Site Scripting (XSS) vulnerability in Wolters Kluwer TeamMate+ 35.0.11.0 allows injection of arbitrary JavaScript code due to improper handling of user provided input.
Vulnerable Components
It is possible to insert the following JavaScript code <img src="x" <table="" onerror="alert()" under:
- TeamStore -> Control -> New Cabinet -> New Folder -> New Control -> Control Description
- TeamStore -> ERM Risk Types -> New Cabinet -> New Folder -> New ERM Risk Types -> Definition
- TeamStore -> Planned Procedures -> New Cabinet -> New Folder -> New Planned Procedures -> Planned Procedures Description
- TeamStore -> Planned Procedures -> New Cabinet -> New Folder -> New Planned Procedures -> Conclusion
- TeamStore -> Planned Procedures -> New Cabinet -> New Folder -> New Planned Procedures -> Record of Work Done
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> Finding Details
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> New Recommendation -> GIA Recommendation
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> New Recommendation -> Management Response
- TeamStore -> Finding -> New Cabinet -> New Folder -> New Finding -> New Recommendation -> Management Action