diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever an administrator views or edits the settings page.
                
            References
                    Configurations
                    History
                    09 Sep 2025, 18:53
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time | Diskoverdata diskover Diskoverdata | |
| References | () https://github.com/4rdr/proofs/blob/main/info/diskover-web-v2.3.0-community-edition-stored-xss.md - Exploit | |
| CPE | cpe:2.3:a:diskoverdata:diskover:2.3.0:*:*:*:community:*:*:* | 
29 Aug 2025, 16:24
| Type | Values Removed | Values Added | 
|---|---|---|
| Summary | 
 | 
27 Aug 2025, 15:15
| Type | Values Removed | Values Added | 
|---|---|---|
| New CVE | 
Information
                Published : 2025-08-27 15:15
Updated : 2025-09-09 18:53
NVD link : CVE-2025-50986
Mitre link : CVE-2025-50986
CVE.ORG link : CVE-2025-50986
JSON object : View
Products Affected
                diskoverdata
- diskover
CWE
                
                    
                        
                        CWE-79
                        
            Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
