Title: bdTask Sales ERP Software Latest version as of 2025-10-24 Stored HTML Injection Description: A Stored HTML Injection vulnerability exists in the User Profile Functionality of Sales ERP Software. The application's input filters for the 'first_name' and 'last_name' parameters are incomplete, failing to sanitize standard HTML tags like or while allowing specific HTML tags. An authenticated attacker can inject malicious HTML payloads into these fields. The injected HTML is then stored in the database and rendered on any page displaying the user's name, affecting all users who view the compromised profile. This can be exploited to conduct phishing attacks by embedding deceptive links or to cause website defacement. Source: https://rgithub.com/dm3mfin fetal VulDB/Chances/2844 User: Amenato (UID 94706) Submission: 10/3/2023 02:27 PM (17 days ago) Moderation: TT 10/28/2023 17:29 PM (17 days ago) Status: Closed VulDB entry: bdTask Code Coverage bv旗下的 ERP up to 2023T20 User Profile / edit_profile Refl first_name/ last_name close site scripting] Points: 30