{"id":"CVE-2023-38878","details":"A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a remote attacker to execute arbitrary JavaScript in the web browser of a victim by injecting a malicious payload into the 'error' and 'error_description' parameters of 'oauth2.php'.","modified":"2026-04-12T07:18:47.020736Z","published":"2023-09-11T22:15:08.023Z","references":[{"type":"WEB","url":"https://openstamanager.com/"},{"type":"PACKAGE","url":"https://github.com/devcode-it/openstamanager"},{"type":"EVIDENCE","url":"https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38878"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/devcode-it/openstamanager","events":[{"introduced":"016dfdf09866e82887f82457ed1f26496ead7093"},{"last_affected":"bfd4794fd4a5301e70ab06284431f32ba4aa7afb"}],"database_specific":{"cpe":"cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.4.24"},{"last_affected":"2.4.47"}],"source":"CPE_FIELD"}}],"versions":["v2.4.24","v2.4.25","v2.4.28","v2.4.32","v2.4.38","v2.4.40","v2.4.41","v2.4.42","v2.4.43","v2.4.44","v2.4.47"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38878.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}