Skip to main content

Stel Order

2 CVEs product

Monthly

CVE-2026-5790 MEDIUM This Month

Stored cross-site scripting (XSS) in Stel Order v3.25.1 and earlier allows unauthenticated remote attackers to inject persistent malicious JavaScript via the 'legalName' and 'employeeID' parameters at the '/app/FrontController' endpoint. When administrators or other users access affected sections, injected code executes in their browsers with user interaction, enabling session hijacking and account takeover. SSVC framework rates this as automatable but only partial technical impact with no confirmed active exploitation.

XSS Stel Order
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-5798 HIGH This Week

Insecure Direct Object Reference (IDOR) in Stel Order v3.25.1 and earlier allows authenticated attackers with low privileges to access confidential employee information across the organization by manipulating the 'employeeID' parameter in requests to the '/app/FrontController' endpoint. Attackers can enumerate and retrieve personal data including names, roles, job titles, and vacation records for any employee regardless of authorization level. EPSS data not available; no confirmed active exploitation (not in CISA KEV). CVSS 7.1 reflects high confidentiality impact but requires authentication, limiting immediate exposure to insider threats or compromised accounts.

Authentication Bypass Stel Order
NVD
CVSS 4.0
7.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting (XSS) in Stel Order v3.25.1 and earlier allows unauthenticated remote attackers to inject persistent malicious JavaScript via the 'legalName' and 'employeeID' parameters at the '/app/FrontController' endpoint. When administrators or other users access affected sections, injected code executes in their browsers with user interaction, enabling session hijacking and account takeover. SSVC framework rates this as automatable but only partial technical impact with no confirmed active exploitation.

XSS Stel Order
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Insecure Direct Object Reference (IDOR) in Stel Order v3.25.1 and earlier allows authenticated attackers with low privileges to access confidential employee information across the organization by manipulating the 'employeeID' parameter in requests to the '/app/FrontController' endpoint. Attackers can enumerate and retrieve personal data including names, roles, job titles, and vacation records for any employee regardless of authorization level. EPSS data not available; no confirmed active exploitation (not in CISA KEV). CVSS 7.1 reflects high confidentiality impact but requires authentication, limiting immediate exposure to insider threats or compromised accounts.

Authentication Bypass Stel Order
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy