CVE-2026-23997

Description

### Summary A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators. ### Details When an administrator views the History tab of that specific note, the script executes in their browser session. ### PoC 1. Log in as a regular user. 2. Open "Sales"=>"Customers"=> "Delivery Notes" <img width="818" height="223" alt="image" src="https://github.com/user-attachments/assets/82518644-2676-42db-93b1-86133986276c" /> 3. Chose one of the customer or create the new one. 4. Open "Delivery notes" <img width="2078" height="713" alt="image" src="https://github.com/user-attachments/assets/f7e5027f-e574-4807-9e9c-bf8a51bc1fff" /> 5. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with any value and save. <img width="2097" height="739" alt="image" src="https://github.com/user-attachments/assets/a3ca5ccb-3d9a-4cfc-a991-16206a1a862b" /> <img width="2097" height="858" alt="image" src="https://github.com/user-attachments/assets/9ca39755-4be6-4303-ab3c-b589cd222daf" /> 6. In the Observations field, enter the malicious JavaScript and save it again. <img width="2097" height="870" alt="image" src="https://github.com/user-attachments/assets/f189c53b-8b73-44e8-bb18-bd46f37cef4f" /> <img width="1539" height="885" alt="image" src="https://github.com/user-attachments/assets/b2d20eb1-246e-4acc-b904-77bc85373873" /> 7. Now we have record in "History" tab. <img width="2096" height="768" alt="image" src="https://github.com/user-attachments/assets/6b76d7d4-fc2c-4eb1-9137-4e4ba7287b9b" /> 8. Logout and login as admin. Next go to the "History" tab with malicious code: <img width="1730" height="702" alt="image" src="https://github.com/user-attachments/assets/54f4af37-72f3-47a0-9669-2b1f6293f2b4" /> <img width="1749" height="670" alt="image" src="https://github.com/user-attachments/assets/f7689083-0128-473c-a4e2-1898e801df78" /> <img width="1479" height="587" alt="image" src="https://github.com/user-attachments/assets/4a6d6e4e-4645-4566-be92-9964c470456e" /> <img width="1541" height="505" alt="image" src="https://github.com/user-attachments/assets/484d9e5f-596a-4508-a9cb-752e16e6564f" /> <img width="2095" height="904" alt="image" src="https://github.com/user-attachments/assets/5462f11c-b274-40e6-af00-d10e7fc1e855" /> Result: Upon opening the history record, the onerror event triggers, executing the JavaScript and displaying an alert box with the application's origin. ### Impact Change admin password via XSS: <img width="2094" height="1260" alt="image" src="https://github.com/user-attachments/assets/7598f986-0618-46e1-9dc7-64655975b19e" /> <img width="1584" height="1137" alt="image" src="https://github.com/user-attachments/assets/3e2302bc-01a3-4c47-ba9a-e69413e932b3" /> <img width="2084" height="373" alt="image" src="https://github.com/user-attachments/assets/21523278-5bcc-4743-8557-4b6563a127d0" /> <img width="1665" height="787" alt="image" src="https://github.com/user-attachments/assets/eca4d5b7-5dec-410f-9c59-99084821e350" /> Admin password was changed <img width="1488" height="598" alt="image" src="https://github.com/user-attachments/assets/53d3f4c1-accd-4136-8235-0fe5b287bbfe" /> This vulnerability results in a Critical Full Account Takeover, allowing any user with note-editing permissions to seize control of the admin account. It successfully bypasses CSRF protections and exploits the lack of "current password" verification during credential changes. Once compromised, the attacker gains total access to the system's management, sensitive financial data, and user configurations. ### Technical requirements & Complexity The attack requires prior technical knowledge of the internal API structure (field names and required values), which can be obtained by a legitimate user through browser developer tools. While it requires the target's code (e.g., admin), this is a common default value in most installations.