This vulnerability involves stored XSS in Kiamo prior to version 8.4 due to inadequate output encoding of input provided by authenticated administrative users. The flaw allows these users to inject malicious JavaScript code into administrative interface pages, which then executes in the context of other users' browsers when they access those pages. This can lead to session hijacking, unauthorized actions, or other client-side impacts depending on the injected script. There is no public information on patches or fixes at this time.

An authenticated administrative user can inject and execute arbitrary JavaScript code in the browsers of other users viewing the affected administrative pages. This can compromise user sessions or perform unauthorized actions within the affected interface. There is no evidence of known exploits in the wild. The impact is limited to environments where an attacker has administrative authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrative access to trusted users only and consider additional monitoring of administrative interface activity to detect suspicious behavior.