Impact
The vulnerability is a stored cross‑site scripting flaw in the Report Handler of CodeAstro Complaint Management System 1.0, where an attacker can inject arbitrary JavaScript into the Report Title field. This allows remote execution of scripts in the context of the administrator’s browser, potentially leading to session hijacking, defacement, or data theft. The weakness is a classic input validation failure (CWE‑79) and may also involve unsafe code execution (CWE‑94).
Affected Systems
The affected product is CodeAstro Complaint Management System, version 1.0. No other versions are explicitly listed, so the impact is confined to deployments running this specific version.
Risk and Exploitability
The CVSS score of 5.1 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but an exploit has been publicly released and can be executed remotely by submitting a crafted Report Title to the /report/addreport endpoint. The attack path is straightforward: an attacker crafts malicious script, submits it via the vulnerable form, and the injected code is rendered when an administrator views the report.
OpenCVE Enrichment