CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Messages Tool bp-messages-tool allows Reflected XSS.This issue affects BP Messages Tool: from n/a through <= 2.2.
Explanation of Vulnerability in Simple Terms
BP Messages Tool versions 2.2 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into messages. When a victim views a crafted message, the attacker's code runs in their browser with access to their session. The vulnerability affects all users but requires the victim to interact with a malicious message link.
What an attacker can do
Inject JavaScript code that runs in a victim's browser when they view a message, potentially stealing session tokens or performing actions as that user.
Potential impact on your site
Users' accounts and data are at risk if they interact with malicious messages. Attackers can impersonate users or steal sensitive information from their sessions.
Conditions required to exploit
No authentication required. Victim must click a link to or view a crafted message. Attack reaches across site boundaries (Scope: Changed).
Key dates
External resources
Related vulnerabilities
