CVE-2022-36533: 
Homebrew vulnerability analysis and mitigation

Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below contains a cross-site scripting (XSS) vulnerability. The vulnerability was discovered in July 2022 and was fixed in version 9.48j (MGM Security, CVE Mitre).

The vulnerability is caused by missing output encoding in error pages and status pages, as well as profile settings. The application fails to properly sanitize user input in the parameters ProfileName, OriginalProfileName, LeftPath, and RightPath of post_profilesettings.php. Additionally, there are reflected XSS vulnerabilities in the default error page and the profile parameter of status.php (MGM Security).

The vulnerability allows attackers to execute arbitrary JavaScript code that gets executed each time the profiles are viewed. Both stored and reflected XSS attacks are possible, potentially leading to unauthorized code execution in the context of other users' sessions (MGM Security).

The vulnerability has been fixed in Syncovery version 9.48j. Users should upgrade to this version or later to mitigate the risk. All versions below v9.48j, including all versions of branch 8, are vulnerable (MGM Security).