Impact
In the affected version range of Twiser’s OKRs & Goals, input entered through the application is not properly neutralized before being rendered in web pages, permitting cross‑site scripting. When an attacker submits malicious script via a supported input field, that script is stored and subsequently executed in the browsers of any user who views the affected page. The impact is confinement to the victim’s browser and can lead to theft of session data, defacement of local content, or execution of further client‑side attacks, but it does not grant direct code execution on the server.
Affected Systems
Twiser Informatics Technology Consulting, Trade and Education Inc. – OKRs & Goals update 28220 through 28398 are affected. No additional vendor or product versions are listed.
Risk and Exploitability
The CVSS score of 5.4 indicates a moderate severity, and the EPSS score is not available, which does not confirm current exploitation probability. This issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves web forms or data entry points that feed content directly into the application’s output rendering without proper sanitization. An attacker who can insert data into these fields can trigger the stored XSS when other users load the compromised page.
OpenCVE Enrichment