Impact
A stored Cross‑Site Scripting flaw has been discovered in Digiwin EasyFlow .NET. When a malicious authenticated user submits content that contains JavaScript code, the application saves the input and renders it unchanged the next time any user loads the affected page. The persistent script executes automatically in the victim’s browser, providing an attacker a venue for downstream attacks such as credential theft, defacement, phishing, or session hijacking.
Affected Systems
The vulnerability affects all deployments of Digiwin EasyFlow .NET that have not been upgraded to version 8.1.5 or later. The supplied CNA statement indicates that any instance running a pre‑8.1.5 release is susceptible; no specific build numbers are listed.
Risk and Exploitability
The CVSS score of 5.1 classifies this as moderate severity, reflecting the requirement that an attacker must be authenticated and that the impact is limited to users who view the exploited page. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalogue, suggesting no confirmed widespread exploitation at present. The likely attack vector is remote, authenticated: a partially trusted user can upload malicious payloads which then persist and impact other users who subsequently view the page.
OpenCVE Enrichment