Impact
Guardian Language‑System disallows proper sanitization of the URL GET parameter named "name" before placing it into an <input> value attribute in designer.php. An attacker who can log in as an authenticated user can craft a link that contains script tags or other malicious payloads in the name parameter. When the victim opens that link in their browser session, the payload is executed, allowing the attacker to hijack the user’s session, deface the interface, or read other session data. This weakness grows to a client‑side XSS classified as CWE‑79, impacting confidentiality, integrity, and availability only within the victim’s authenticated session.
Affected Systems
The vulnerability affects the Guardian Language‑System application. No specific version range is listed in the CNA data, so any installed instance that includes designer.php and does not apply the patch is potentially vulnerable.
Risk and Exploitability
The CVSS score of 4.8 indicates moderate risk. EPSS is undefined, implying low exploit probability at the moment, and the flaw is not listed in CISA KEV catalog. Attackers must already be authenticated and able to request designer.php, making exploitation a privilege‑limited, client‑side attack. While the impact is limited to the victim’s session, any compromised user could be used for broader malicious activity by collecting credentials or performing further actions on behalf of the user.
OpenCVE Enrichment