Home

Description

diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever an administrator views or edits the settings page.

PUBLISHED Reserved 2025-06-16 | Published 2025-08-27 | Updated 2025-08-27 | Assigner mitre

References

github.com/...ver-web-v2.3.0-community-edition-stored-xss.md

cve.org (CVE-2025-50986)

nvd.nist.gov (CVE-2025-50986)

Download JSON