A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HAltium On Prem Enterprise Server
APPAltium8.0.1
Powiązane podatności
Altium Enterprise Server: hardcoded key + path traversal umożliwiają przejęcie serwera
Path traversal w Altium Enterprise Server Vault Service — zapis dowolnych plików i RCE
Path Traversal w Altium Enterprise Server NIS — nieuwierzytelniony RCE
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsi...
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authentic...