Impact
Guardian language‑system has a reflected cross‑site scripting flaw where the id GET parameter is placed directly into HTML source and form action attributes of media.php. An attacker who is logged in can craft a URL containing script tags. When the victim visits the URL, the script runs in the browser session, allowing cookie theft or execution of arbitrary client‑side actions on behalf of the logged‑in user. This weakness is identified as CWE‑79.
Affected Systems
The product in question is Guardian language‑system. The CVE description does not provide a version range, so any build that contains media.php without proper input sanitization may be affected. It is not known whether recent releases have fixed the issue; we infer that newer versions may or may not address the flaw, and that absence of explicit version data makes it uncertain.
Risk and Exploitability
The CVSS score of 4.8 indicates moderate severity; the score does not reflect a high impact but still provides potential for credential‑based abuse. EPSS data is unavailable, and the vulnerability is not tracked by CISA KEV, suggesting there is no known widespread exploitation. The flaw requires that the attacker be authenticated to the system; the attacker can trigger the exploit simply by visiting a malicious URL after login. Consequently, the risk is elevated only if user credentials are compromised or misused, and no public exploits have been reported at this time.
OpenCVE Enrichment