Impact
Raera’s Destekz product contains an improper neutralization of input during web page generation, resulting in a reflected Cross‑Site Scripting (XSS) flaw. An attacker can craft a malicious URL and, when a user visits that URL, execute arbitrary JavaScript in the victim’s browser. The impact is limited to the victim’s session; the attacker can steal credentials, perform phishing, or deface the page. The weakness is classified as CWE‑79.
Affected Systems
The vulnerability is present in all releases of Destekz up to 02062026. The vendor has confirmed the product is no longer supported and no patch will be released.
Risk and Exploitability
The CVSS score of 6.1 places the flaw in the Medium severity range. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation yet. The attack vector is reflected XSS, meaning an attacker only needs to lure a victim to a crafted link or form, and no server‑side compromise is required. Given the lack of an official fix, the risk persists until the application is removed or mitigated by additional controls.
OpenCVE Enrichment