Impact
The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious JavaScript through the 'descripción' parameter of the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint. When the content is later displayed to other users, the injected script will execute in their browsers, enabling actions such as session hijacking, cookie theft, and defacement. This is a classic example of CWE‑79, where unsanitized user input is persisted and rendered without proper escaping.
Affected Systems
The flaw affects all Loggro Pymes installations that run versions prior to 1.0.124. The Loggro Pymes Web Application, managed by Loggro Pymes, is the impacted product. Users running earlier releases should verify their current build and plan for an update as the vendor has supplied a fix in version 1.0.124.
Risk and Exploitability
The CVSS score of 5.1 classifies the issue as moderate in severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no active widely known attacks have been reported. An attacker could exploit the flaw by submitting a crafted value to the 'descripción' field, which is then stored and replayed for other users, making the attack vector primarily remote and web‑based.
OpenCVE Enrichment