← Advisories

CMU CERT/CC VINCE v2.0.6 Stored XSS

Medium

Advisory ID

ZSL-2025-5917

Release Date

10 February 2025

Vendor

Carnegie Mellon University - https://www.kb.cert.org

Affected Version

<=2.0.6

CVE

N/A

Tested On

nginx/1.20.0, Django 3.2.17

Summary

VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.

Description

The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Proof of Concept

vince_xss.txtTXT

Disclosure Timeline

13.01.2023Vulnerability discovered.

13.01.2023Vendor informed.

30.03.2023Vendor releases version 2.0.7 to address this issue.

10.02.2025Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://github.com/CERTCC/VINCE/releases/tag/v2.0.7

[2]https://packetstorm.news/files/id/189098/

[3]https://www.exploit-db.com/exploits/52181

Changelog

10.02.2025Initial release

09.05.2025Added reference [3]