Impact
DivvyDrive Information Technologies Inc. DivvyDrive contains a persistent cross‑site scripting vulnerability due to improper neutralization of user input during web page generation. An attacker can inject malicious JavaScript into stored fields, which will execute under the same privileges as any user who views the affected page. This can facilitate credential theft, session hijacking, defacement, or the execution of additional client‑side attacks.
Affected Systems
The vulnerability impacts DivvyDrive versions prior to 4.8.3.1, including 4.8.2.23 and earlier releases.
Risk and Exploitability
The assigned CVSS score of 6.4 indicates a moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. While EPSS data is unavailable, the stored nature of the flaw suggests that it can be triggered by any user with write access to the affected fields. Exploitation requires submitting crafted input that becomes part of a stored response, after which any user who views that content will have the injected script executed in their browser.
OpenCVE Enrichment