# CVE-2024-54795
**Severity :** **Medium** (**5.4**)
**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`
## Summary :
Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by multiple **stored XSS** inside of the worksheet designer page.
## Poc
### Steps to Reproduce :
1. While editing a document inserting custom text or while seving inserting filename and info insert the following payload:
```
"><img src="#" onerror=alert(1)>
```
2. Visit the home/worksheet designer page and the pages of the file saved. The html will be reflected and the alert prompted.
## Affected Version Details :
- <= 3.5.1
## Impact :
If the attacker is logged into the app with sufficient permissions to access the worksheet designer page, can store a JS script that can steal user cookies, perform horizontal/vertical privilege escalation, or perform malicious actions such as downloading a malicious file.
## Mitigation :
- Update to the latest version.
## References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-54795