CVE-2026-23880 (GCVE-0-2026-23880)

Vulnerability from cvelistv5 – Published: 2026-01-19 20:55 – Updated: 2026-01-20 15:12
VLAI
Title
OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over
Summary
OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
Impacted products
Vendor Product Version
HackUCF OnboardLite Affected: < 1d32081a66f21bcf41df1ecb672490b13f6e429f
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23880",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-20T15:12:18.083821Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-20T15:12:32.529Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OnboardLite",
          "vendor": "HackUCF",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1d32081a66f21bcf41df1ecb672490b13f6e429f"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user\u0027s discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T20:55:28.469Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g"
        },
        {
          "name": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f"
        }
      ],
      "source": {
        "advisory": "GHSA-93w8-83cg-h89g",
        "discovery": "UNKNOWN"
      },
      "title": "OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23880",
    "datePublished": "2026-01-19T20:55:28.469Z",
    "dateReserved": "2026-01-16T21:02:02.900Z",
    "dateUpdated": "2026-01-20T15:12:32.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23880",
      "date": "2026-07-09",
      "epss": "0.00226",
      "percentile": "0.13199"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23880\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-19T21:15:52.357\",\"lastModified\":\"2026-06-17T10:22:14.780\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user\u0027s discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.\"},{\"lang\":\"es\",\"value\":\"OnboardLite es una plataforma integral para el ciclo de vida de la membres\u00eda construida para organizaciones estudiantiles en la Universidad de Florida Central. Las versiones del software anteriores al commit 1d32081a66f21bcf41df1ecb672490b13f6e429f tienen una vulnerabilidad de cross-site scripting almacenado que puede ser renderizada a un administrador cuando intenta migrar la cuenta de Discord de un usuario en el panel de control. El commit 1d32081a66f21bcf41df1ecb672490b13f6e429f corrige el problema.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"HackUCF\",\"product\":\"OnboardLite\",\"versions\":[{\"version\":\"\u003c 1d32081a66f21bcf41df1ecb672490b13f6e429f\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-20T15:12:18.083821Z\",\"id\":\"CVE-2026-23880\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"references\":[{\"url\":\"https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g\",\"source\":\"security-advisories@github.com\"}]}}",
    "redhat_vex": {
      "current_release_date": "2026-01-20T21:22:45+00:00",
      "cve": "CVE-2026-23880",
      "id": "CVE-2026-23880",
      "initial_release_date": "2026-01-01T00:00:00+00:00",
      "product_status:known_not_affected": "1",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23880.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23880\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-20T15:12:18.083821Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-20T15:12:27.548Z\"}}], \"cna\": {\"title\": \"OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over\", \"source\": {\"advisory\": \"GHSA-93w8-83cg-h89g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"HackUCF\", \"product\": \"OnboardLite\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1d32081a66f21bcf41df1ecb672490b13f6e429f\"}]}], \"references\": [{\"url\": \"https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g\", \"name\": \"https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f\", \"name\": \"https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user\u0027s discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-19T20:55:28.469Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-23880\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-20T15:12:32.529Z\", \"dateReserved\": \"2026-01-16T21:02:02.900Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-19T20:55:28.469Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…