Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Stored XSS requires an authenticated low-privilege account (PR:L), victim page load (UI:R), and browser context escape confirms scope change (S:C); no availability impact applies.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.
This issue affects DivvyDrive: from v.4.8.2.23 before v.4.8.3.1.
AnalysisAI
Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated account with at least low-privilege access to the DivvyDrive application (PR:L per CVSS vector) running an affected version from v.4.8.2.23 to before v.4.8.3.1. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium score is driven by network accessibility (AV:N), low complexity (AC:L), low privilege requirement (PR:L), required victim interaction (UI:R), scope change (S:C), and limited confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege DivvyDrive account submits a payload such as a script tag or JavaScript event handler into a shared input field - for example, a file comment, document name, or profile field - that is stored and later rendered for other users. When an administrator or co-worker loads the affected page, the injected script silently executes in their browser, potentially exfiltrating their session cookie to an attacker-controlled server. … |
| Remediation | Upgrade DivvyDrive to version v.4.8.3.1 or later, which resolves this stored XSS vulnerability per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0475. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Divvydrive
View allStored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts t
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbi
Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions
Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41010
GHSA-4qcc-v76c-xv54