Headline
CMU CERT/CC VINCE v2.0.6 Stored XSS
The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the ‘content’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.
Title: CMU CERT/CC VINCE v2.0.6 Stored XSS
Advisory ID: ZSL-2025-5917
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 10.02.2025
Summary
VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.
Description
The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the ‘content’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.
Vendor
Carnegie Mellon University - https://www.kb.cert.org
Affected Version
<=2.0.6
Tested On
nginx/1.20.0
Django 3.2.17
Vendor Status
[13.01.2023] Vulnerability discovered.
[13.01.2023] Vendor informed.
[30.03.2023] Vendor releases version 2.0.7 to address this issue.
[10.02.2025] Public security advisory released.
PoC
vince_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] https://github.com/CERTCC/VINCE/releases/tag/v2.0.7
[2] https://packetstorm.news/files/id/189098/
Changelog
[10.02.2025] - Initial release
Contact
Zero Science Lab
Web: https://www.zeroscience.mk
e-mail: [email protected]