Sypex Dumper 2.0.11 Cross Site Scripting

2015.05.30
Credit: hyp3rlinx
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-SYPEX0529.txt Vendor: https://sypex.net Product: Sypex Dumper 2.0.11 is a PHP web based MySQL database management system. Advisory Information: ================================================ Sypex Dumper 2.0.11 XSS Vulnerabilities XSS Vulnerability Details: ===================== Login page input fields are vulnerable to XSS via POST method. Allowing remote attackers to execute arbitrary code in the context of an user's browser session. Exploit code(s): =============== host="onMouseOver="alert(666); pass="onMouseOver="alert(666); user="onMouseOver="alert(666); Disclosure Timeline: ========================================================= Vendor Notification: May 27, 2015 May 29, 2015: Public Disclosure Severity Level: ========================================================= Med Description: ========================================================== Request Method(s): [+] POST Vulnerable Product: [+] Sypex Dumper 2.0.11 Vulnerable Parameter(s): [+] host, pass, user Affected Area(s): [+] Login page =============================================================== (hyp3rlinx)

References:

http://hyp3rlinx.altervista.org/advisories/AS-SYPEX0529.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top