Codiad 2.0.7 Cross Site Scripting

2013-12-23 / 2014-01-05
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Exploit Title: Codiad - Stored (Persistent) Cross Site Scripting Vulnerability # Date: 02/12/2013 # Exploit Author: Project Zero Labs # Vendor Homepage: http://www.codiad.com # Software Link: https://github.com/Codiad/Codiad # Version: v.2.0.7 # Tested on: Kali Linux / Iceweasel v.22 About the software: =================== Codiad is a web-based IDE framework with a small footprint and minimal requirements. Demo: http://demo.codiad.com/ Vulnerability Details: ====================== Project Zero Labs identified a stored (persistent) cross site scripting vulnerability in the "Project Name" field. For example if we put: <script>alert("XSS Found!");</script> as the project name a popup alert will appear every time we trigger the Project Menu or the Codiad loads the Project. An attacker can inject malicious code that will be executed on the victim's browser. The vulnerability has already reported to the development team via GitHub. Report & Proof Of Concept: ========================== A detailed report with screenshots as Proof Of Concept can be found in the software's bug tracker (Github): https://github.com/Codiad/Codiad/issues/584 Payload: ======== <script>alert("XSS Found!");</script> Severity: ========= Medium Credits: ======== Project Zero Labs labs@projectzero.gr http://www.projectzero.gr

Referencje:

http://www.projectzero.gr


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top