Impact
Hashgraph Guardian versions up to and including 3.6.0 contain a stored cross‑site scripting flaw that enables any authenticated user holding the STANDARD_REGISTRY role to submit specially crafted data in the companyName field of the branding configuration API. The malicious value is stored and later injected into the web interface through an unsanitized innerHTML assignment by the branding service, causing arbitrary JavaScript to execute whenever an authenticated user loads any page of the application. The flaw primarily undermines the confidentiality and integrity of the client‑side session, potentially allowing an attacker to capture user input or modify page content while the victim is logged in. Based on the description, such exploitation could facilitate credential theft or other malicious client‑side actions, but these consequences are inferred rather than explicitly confirmed in the advisory.
Affected Systems
Hashgraph Guardian up to the release that incorporates commit ba8c566 is affected. Any deployment still running the default 3.6.0 or earlier release is vulnerable; all subsequent releases that include the referenced commit are considered fixed.
Risk and Exploitability
With a CVSS score of 4.8, the flaw is classified as medium severity. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported. The attack requires an authenticated session with STANDARD_REGISTRY privileges to submit the malicious companyName, and it does not affect unauthenticated users or alter server‑side state. The risk is therefore limited to individuals with the necessary role who can use the API to inject data that will be rendered in other users’ browsers.
OpenCVE Enrichment