Description
A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request.
Published: 2026-03-26
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that enables arbitrary JavaScript execution in user browsers
Action: Patch
AI Analysis

Impact

A vulnerability in Staffwiki v7.0.1.19219 allows an attacker to inject JavaScript code through a crafted HTTP request to the wff_cols_pref.css.aspx endpoint. When a victim’s browser processes the response, the malicious script runs with the user’s privileges, potentially leaking credentials, session cookies, or other sensitive data. The weakness is a classic XSS flaw (CWE‑79).

Affected Systems

The affected product is Staffwiki, version 7.0.1.19219. No additional vendor or product data was supplied by the CNA, and no other impacted versions are listed. Users of this specific Staffwiki build should verify whether they are running this vulnerable version.

Risk and Exploitability

The CVSS base score of 6.1 indicates a medium severity. EPSS scores below 1% suggest the vulnerability has a low probability of exploitation in the near term, and it is not currently documented in the CISA KEV catalog. Nevertheless, the attack vector is remote; an attacker can trigger the flaw by sending a crafted HTTP request, making the vulnerability accessible over the network without prior authentication or local access. Because it executes in the victim’s browser, the impact can range from credential theft to full session hijacking, depending on what information the compromised context can reach.

Generated by OpenCVE AI on March 30, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or support channels for a security patch or newer release of Staffwiki that addresses the XSS flaw.
  • If an official fix is not available, avoid exposing the wff_cols_pref.css.aspx endpoint to unauthenticated users or remove the endpoint if it is not required for functionality.
  • Implement a Content Security Policy that restricts inline scripts and disallows unsafe-eval to mitigate the impact of any potential script injection.
  • Consider applying input sanitization or escape mechanisms in any code that renders user-controlled data to the wff_cols_pref.css.aspx page, if custom development is possible.

Generated by OpenCVE AI on March 30, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Workflowfirst
Workflowfirst staffwiki
CPEs cpe:2.3:a:workflowfirst:staffwiki:7.0.1.19219:*:*:*:*:*:*:*
Vendors & Products Workflowfirst
Workflowfirst staffwiki

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Staffwiki v7.0.1.19219

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Staffwiki v7.0.1.19219
Weaknesses CWE-79

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via wff_cols_pref.css.aspx in StaffWiki v7.0.1.19219
Weaknesses CWE-79

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via wff_cols_pref.css.aspx in StaffWiki v7.0.1.19219
Weaknesses CWE-79

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Cmoncrook
Cmoncrook staffwiki
Vendors & Products Cmoncrook
Cmoncrook staffwiki

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request.
References

Subscriptions

Cmoncrook Staffwiki
Workflowfirst Staffwiki
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T14:56:27.205Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29969

cve-icon Vulnrichment

Updated: 2026-03-30T13:53:50.388Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:16:59.600

Modified: 2026-05-07T18:57:08.240

Link: CVE-2026-29969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:50Z

Weaknesses