CVE-2021-43725: 
Linux Debian vulnerability analysis and mitigation

A Cross Site Scripting (XSS) vulnerability was discovered in Spotweb version 1.5.1 and below, specifically in the SpotPage_login.php file. The vulnerability was identified on November 12, 2021, and allows remote attackers to inject arbitrary web script or HTML through the data[performredirect] parameter (GitHub Issue).

The vulnerability exists due to insufficient input validation of the data[performredirect] parameter in the login page. When a user accesses the login page with a specially crafted URL containing malicious JavaScript in the data[performredirect] parameter, the code is executed in the victim's browser context. The vulnerability has a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks when users browse to the page containing the vulnerable parameter (NVD).

The vulnerability has been patched by implementing input validation that checks for chevrons (< >) in the performredirect parameter. When detected, the script returns an error message stating 'Script is not allowed'. Users should upgrade to the patched version of Spotweb that includes this fix (GitHub Patch).