The vulnerability exposes multiple stored cross‑site scripting weaknesses in the Edit feature of the Software Package List page of IngEstate Server v11.14.0. Attackers can embed malicious scripts or HTML into the About application, What’s news, or Release note fields, causing the browser to execute the injected code when the page is viewed by any user. This can lead to session hijacking, credential theft, or malicious actions carried out in the client’s browser context. The impact is limited to users who view the affected page, but because the payload is stored, any authenticated user who accesses the page may be compromised. The weakness is a classic stored XSS (CWE‑79) that does not require additional user interaction beyond viewing the page.

The affected system is IngEstate Server, specifically version 11.14.0. The bug resides in the Edit functionality of the Software Package List page, where inputs for About application, What’s news, and Release notes are not properly sanitized before rendering. No other vendors or products are listed. The scope is confined to this application version and feature set.

The CVSS score of 6.1 reflects moderate severity; the vulnerability is not in the CISA KEV catalog. Exploitation is likely to require a user with access to the web interface to edit the Software Package List and inject a crafted payload. Once stored, the attacker can rely on end users visiting the page to trigger the payload, so the risk is primarily to confidentiality and integrity of user sessions and to the trust of the web UI. The expected attack vector is via the web interface, and no additional network or local privilege escalation is required.