The rafasashi User Session Synchronizer up to version 1.4.0 contains a CSRF vulnerability that enables stored XSS attacks. This means that an attacker can trick an authenticated user into submitting a forged request that results in malicious script storage, which may then execute in the context of the victim's browser. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation could allow an attacker to execute stored XSS attacks via CSRF, potentially leading to unauthorized actions performed with the victim's privileges. The impact includes partial compromise of confidentiality, integrity, and availability of the affected system as indicated by the CVSS vector. However, no known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as anti-CSRF tokens and validating user requests to mitigate risk. Monitor vendor channels for updates regarding patches or official mitigations.