CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-0912
https://notcve.org/view.php?id=CVE-2017-0912
Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling". Ubiquiti UCRM desde la versión 2.5.0 a la 2.7.7 es vulnerable a Cross-Site Scripting (XSS) persistente. Debido a la falta de saneamiento, es posible inyectar código HTML arbitrario manipulando el nombre de archivo subido. • https://community.ubnt.com/t5/UCRM/New-UCRM-upgrades-available-2-8-2-and-2-9-0-beta3/td-p/2211814 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •