CVE-2019-14805

1. CVE-2019-14805
2.  
3. >[Description]
4. > studio/builder_menu.php?page=sets in
5. > UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing.
6. >
7. > ------------------------------------------
8. >
9. > [Additional Information]
10. > UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#1
11. > Sign in to admin and look for the ["etemplates"] page (/studio/polyglot.php?page=etemplates)!
12. > Click ["Emails"] and edit the templates! Inject the JavaScript code into the ["System Name"] field!
13. > http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
14. >
15. > UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#2
16. > Sign in to admin and look for the ["sets"] page (studio/builder_menu.php?page=sets)!
17. > Click ["Sets"] and edit the "set"! Inject the JavaScript code into the ["System Name"] field!
18. > http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
19. >
20. > https://github.com/unaio/una/tree/master/studio
21. > https://una.io/
22. >
23. > ------------------------------------------
24. >
25. > [Vulnerability Type]
26. > Cross Site Scripting (XSS)
27. >
28. > ------------------------------------------
29. >
30. > [Vendor of Product]
31. > UNA
32. >
33. > ------------------------------------------
34. >
35. > [Affected Product Code Base]
36. > UNA - 10.0.0-RC1
37. >
38. > ------------------------------------------
39. >
40. > [Attack Type]
41. > Remote
42. >
43. > ------------------------------------------
44. >
45. > [Impact Code execution]
46. > true
47. >
48. > ------------------------------------------
49. >
50. > [Attack Vectors]
51. > Client side JavaScript code injection.
52. >
53. > ------------------------------------------
54. >
55. > [Reference]
56. > https://github.com/unaio/una/commits/master/studio
57.  
58. Use CVE-2019-14805.