[//]: # (werk v2) # Fix XSS in confirmation pop-up key | value ---------- | --- date | 2024-06-10T10:40:28+00:00 version | 2.3.0p7 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability. This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 * 2.2.0 *Indicators of Compromise*: Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up. *Vulnerability Management*: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.