Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim to view the injected page (UI:R); PR:L reflects required low-privilege account; S:C and C:L/I:L capture cross-boundary session impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.
This issue affects DivvyDrive: from 4.8.2.23 before v.4.8.3.1.
AnalysisAI
Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid DivvyDrive account with at least low-privilege access (PR:L per CVSS) sufficient to submit input to a stored field within the application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 6.4 (Medium) uses vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege DivvyDrive user submits a crafted payload - for example, a script tag embedded in a shared document title, comment field, or profile field - that the application stores without sanitization. When an administrator or other user subsequently views the page containing the stored content, the script silently executes in their browser, exfiltrating their session cookie to an attacker-controlled endpoint and enabling account takeover. … |
| Remediation | Upgrade DivvyDrive to version 4.8.3.1 or later, which resolves this stored XSS vulnerability per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0475. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Divvydrive
View allStored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts t
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbi
Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions
Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inj
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41008
GHSA-rr2x-7r28-45fw