Cross Site Scripting (XSS) vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able to exploit the issue by sending malicious HTTP requests to non-existing URIs. The value of the URL path filename is copied into the HTML document as plain text tags.

FULLDISC:FULLDISC: 20210709 Novus Managment System Vulnerabilities (CVE-2021-34820, CVE-2021-38421) | URL:https://seclists.org/fulldisclosure/2021/Jul/20