Impact
The vulnerability in MDwiki, a content management system from Dynalon, allows remote attackers to inject malicious JavaScript into the location hash fragment of a URL. When a victim’s browser renders the page, the injected script executes within the user’s session, enabling attackers to steal session cookies, deface the site, or perform other actions as the authenticated user. The weakness is identified as a reflected Cross‑Site Scripting flaw.
Affected Systems
Dynalon MDwiki instances that have not applied the vendor’s fix are vulnerable. Specific version information is not supplied in the available data, so any release of MDwiki that includes the unsanitized hash handling is at risk.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The likely attack vector is a targeted web‑based attack where an adversary crafts a URL containing malicious code in the hash fragment and lures a victim into visiting it. Exploitation requires only a victim’s browser to load the page; no additional credentials or privileges are needed beyond the victim’s active session.
OpenCVE Enrichment