The messages module was affected by two instances of Cross-Site Scripting (XSS). The first one involved the “stage” parameter using “setup” functionality.
The second instance affected the parameter called “parameter” sent within post data while a message is being saved. The payload was reflected in the response that was set as HTML content-type.
This vulnerability allows a remote attacker gain control on the victims browser when a malicious link is clicked. The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.
The first instance affects the messages.php file using this parameters:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8