Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the realname or emailaddress field to themes/CleanFS/templates/common.editallusers.tpl.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:flyspray:flyspray:*:rc4:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "1.0"
}
],
"source": "CPE_RANGE",
"vendor_product": "flyspray:flyspray"
}
]
}