Description
A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codice_azienda parameter.
Published: 2026-04-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side XSS
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw resides in the login_newpwd.php endpoint of ZenShare Suite 17.0. Injecting crafted JavaScript into the codice_azienda query parameter can cause a victim’s browser to execute arbitrary code while the site appears legitimate. The flaw is a client‑side code execution vulnerability identified as CWE‑79. Based on the nature of reflected XSS, an attacker could potentially hijack sessions, steal credentials, or alter the page presented to the user, though no direct server exposure is described.

Affected Systems

Only ZenShare Suite 17.0 distributed by Interzen Consulting S.r.l. is mentioned as vulnerable. No other vendors, products, or version ranges appear in the data. Therefore the risk is confined to this single product and release.

Risk and Exploitability

The CVSS score of 6.1 signals a medium severity, and the EPSS score of under 1% indicates a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require a victim to click a malicious link or be exposed to a crafted URL, implying a remote web‑access attack vector. No privileged credentials or additional conditions are noted in the data, but this lack of stated constraints is an inference, not an explicit requirement.

Generated by OpenCVE AI on April 3, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ZenShare Suite to a version where the login_newpwd.php XSS issue has been fixed.
  • If an immediate patch is unavailable, sanitize the codice_azienda parameter and escape all user‑supplied data before rendering it to mitigate reflected XSS.
  • Verify the applied patch or mitigation by conducting a sanity test, such as submitting a harmless string to code and confirming no script execution.

Generated by OpenCVE AI on April 3, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in ZenShare Suite 17.0 Login Endpoint

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in ZenShare Suite 17.0 Login Endpoint
First Time appeared Interzen Consulting
Interzen Consulting zenshare Suite
Weaknesses CWE-79
Vendors & Products Interzen Consulting
Interzen Consulting zenshare Suite

Thu, 02 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codice_azienda parameter.
References

Subscriptions

Interzen Consulting Zenshare Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T14:39:19.366Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30251

cve-icon Vulnrichment

Updated: 2026-04-03T14:38:50.405Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T21:16:40.357

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-30251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:20Z

Weaknesses