|Affected Version(s)||1.14.2 and probably prior|
|Vendor Notification||May 27, 2020|
|Advisory Publication||May 27, 2020 [without technical details]|
|Vendor Fix||Version 1.15|
|Public Disclosure||August 4, 2020|
|Latest Modification||August 4, 2020|
|Product Description||i-doit is a web based IT documentation and CMDB. i-doit documents IT-systems and their changes, defines emergency plans, displays vital information and helps to ensure a stable and efficient IT operation.|
|Credits||Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group|
|Reflected Cross-Site Scripting (XSS) Vulnerability|
|Severity: Medium||CVSS Score: 5.4||CWE-ID: CWE-79||Status: Not Fixed|
|CVSS Base Score|
|Attack Complexity||Low||Confidentiality Impact||Low|
|Privileges Required||Low||Integrity Impact||Low|
|User Interaction||Required||Availability Impact||None|
The application i-doit has one Reflected Cross-Site Scripting (XSS) vulnerability due to the lack of input validation and output encoding.
This input was echoed unmodified in the application's response resulting in a Cross-Site Scripting (see request below).