CVE-2025-50986

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-50986
diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever an administrator views or edits the settings page.

5.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/4rdr/proofs/blob/main/info/diskover-web-v2.3.0-community-edition-stored-xss.md
Configurations

No configuration.

History

29 Aug 2025, 16:24

Type Values Removed Values Added
Summary
  • (es) diskover-web v2.3.0 Community Edition presenta múltiples vulnerabilidades de cross-site scripting (XSS) almacenado en su interfaz de configuración administrativa. Diversos campos de configuración, como ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES y TIMEZONE, no depuran correctamente la información proporcionada por el usuario. Los payloads maliciosos enviados mediante estos parámetros persisten en la aplicación y se ejecutan cada vez que un administrador accede o edita la página de configuración.

27 Aug 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-27 15:15

Updated : 2025-08-29 16:24

NVD link : CVE-2025-50986

Mitre link : CVE-2025-50986

CVE.ORG link : CVE-2025-50986

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')