Description: Cross Site Scripting vulnerability in ZenarioCMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.
Attack Vectors: Scripting a vulnerability in the sanitization of the entry in the Spare alias. allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Organizer - Spare alias off the Organizer Menu.
We click on Create a spare alias and add the following payload to the Spare alias field:
"' onfocus="alert(1)" autofocus="
In the following image you can see the XSS pop-up when the payload is executed: