Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in OpenWGA 7.11.12 Build 737. This impacts an unknown function of the component Admin UI. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in OpenWGA 7.11.12 Build 737 Admin UI allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users who view the affected interface. Exploitation requires user interaction (clicking a crafted link or visiting a manipulated page), limiting real-world impact despite remote accessibility. Public exploit disclosure exists, but EPSS scoring (0.03%, 7th percentile) and low CVSS severity (2.0) indicate minimal active exploitation likelihood in real deployments.
Technical ContextAI
The vulnerability is a reflected or stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) within an unidentified function of the OpenWGA Admin UI component. OpenWGA is a web content management and application framework written in Java. The Admin UI likely processes user-supplied input for administrative tasks without proper output encoding or input validation, allowing attackers to inject executable JavaScript. The vulnerability requires authentication (CVSS PR:L) and user interaction (CVSS UI:P), indicating the attacker must lure an authenticated admin or user to click a malicious link or view a crafted payload within the admin interface.
Affected ProductsAI
OpenWGA version 7.11.12 Build 737 is confirmed vulnerable. No version range is provided in available data; it is unknown whether earlier versions (7.11.11, 7.11.x) or later versions are affected. The vendor did not respond to early disclosure, so no official advisory or patched version is documented.
RemediationAI
No vendor-released patch has been identified at time of analysis. Contact the OpenWGA development team to request a security update for the Admin UI component. As an interim compensating control, restrict access to the Admin UI to a whitelist of trusted IP addresses or deploy Web Application Firewall (WAF) rules to block or sanitize input containing script tags and event handlers (e.g., <script>, onerror=, onload=) in admin parameters. Educate authenticated users not to click untrusted links within the admin interface. If OpenWGA is not actively maintained, consider migrating to an alternative CMS with active security support. Monitor access logs to the Admin UI for unusual input patterns or multiple failed authentications.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today