Cross-site scripting in GoldenHorn (a web-based trade management platform by TAC Information Services Internal and External Trade Inc.) allows a low-privileged authenticated attacker to inject malicious JavaScript into pages rendered by other users, resulting in limited confidentiality impact such as session token or data exfiltration. All versions prior to 4.25.1121.1 are affected. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability at time of analysis.
{realm}/roles endpoint, allowing high-privileged authenticated users to access role information they should not have permission to view. With a CVSS score of 2.7 and EPSS of 0.01%, this is a low-severity information disclosure affecting confidentiality only; no public exploit identified at time of analysis.