Impact
The vulnerability exists in the Mail Compose Page of code‑projects Project Management System 1.0. The flaw arises from undefined handling of user input in /mail.php, permitting the insertion of arbitrary script code. This cross‑site scripting flaw can lead to defacement of mail content, injection of malicious payloads into the client browser, and a potential compromise of user session data. The weakness corresponds to CWE‑79 and CWE‑94. Based on the description, it is inferred that unsanitized input can be used to inject arbitrary scripts.
Affected Systems
Affected systems include deployments of code‑projects Project Management System version 1.0 that expose the /mail.php endpoint. Any environment hosting this component and accessible from the Internet is susceptible to the XSS flaw.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate severity. Because the exploitation requires only remote input and the vulnerability is publicly disclosed, there is a reasonable chance that attackers could abuse it. The EPSS score is not available, so the precise likelihood cannot be quantified, but the absence from the CISA KEV catalog suggests no current proven exploitation. Attackers are expected to trigger the flaw by sending crafted input to the Mail Compose endpoint, leading to script execution in victims' browsers.
OpenCVE Enrichment