CVE-2024-3938

The "reset password" login page accepted an HTML injection via URL parameters.<br /> <br /> This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E <br /> <br /> This will result in a view along these lines:<br /> <br /> <br /> <br /> <br /> <br /> * OWASP Top 10 - A03: Injection<br /> * CVSS Score: 5.4<br /> * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator <br /> * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&amp;... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator