Impact
A stored cross‑site scripting flaw exists in the Loggro Pymes web application. Malicious code can be injected via the ‘Facebook’ parameter of the /loggrodemo/jbrain/ConsultaTerceros endpoint and is persistently stored and later rendered to other users. This vulnerability falls under CWE‑79 and enables an attacker to run arbitrary scripts in the context of affected user browsers.
Affected Systems
The affected product is Loggro Pymes. Versions prior to 1.0.124 are vulnerable; the team has released a patch in Loggro Pymes 1.0.124 that addresses the issue.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. The EPSS of less than 1% implies a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is client‑side, requiring an attacker to supply a malicious value for the Facebook parameter that will be stored and surfaced to other users browsing the application.
OpenCVE Enrichment