CMU CERT/CC VINCE v2.0.6 Stored XSS
Title: CMU CERT/CC VINCE v2.0.6 Stored XSS
Advisory ID: ZSL-2025-5917
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 10.02.2025
Django 3.2.17
[13.01.2023] Vendor informed.
[30.03.2023] Vendor releases version 2.0.7 to address this issue.
[10.02.2025] Public security advisory released.
[2] https://packetstorm.news/files/id/189098/
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2025-5917
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 10.02.2025
Summary
VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.Description
The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.Vendor
Carnegie Mellon University - https://www.kb.cert.orgAffected Version
<=2.0.6Tested On
nginx/1.20.0Django 3.2.17
Vendor Status
[13.01.2023] Vulnerability discovered.[13.01.2023] Vendor informed.
[30.03.2023] Vendor releases version 2.0.7 to address this issue.
[10.02.2025] Public security advisory released.
PoC
vince_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://github.com/CERTCC/VINCE/releases/tag/v2.0.7[2] https://packetstorm.news/files/id/189098/
Changelog
[10.02.2025] - Initial releaseContact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
