Myems
Monthly
Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.
Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.