Dokeos 2.1.1 Multiple Cross-Site Scripting

2012-11-02 / 2012-11-03
Credit: Marcela Benetrix
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-5776
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

############################# Exploit Title : Dokeos 2.1.1 Multiple Cross-Site Scripting Vulnerabilities Author:Marcela Benetrix home:www.girlinthemiddle.net Date: 10/17/12 version: 2.1.1 software link:www.dokeos.com ############################# Dokeos description Dokeos is an open source e-learning platform programmed in PHP, Javascript and HTML which provides different features: reports, mindmaps,documents, social network,etc. ########################## XSS location /main/auth/profile.php At this page, we have a form with many fields to fill in. 5 of them are vulnerable to PERSISTENT cross site scripting. The named fields are: extra_phone extra_street extra_addressline2 extra_zipcode Via post, we can send malicious code in order to steal cookies, access to sensitive information, do a web application defacement to every single user that visits the poisoned profile. ########################## Vendor Notification 10/13/2012 to: info@dokeos.com 10/23/2012 to: sales.us@dokeos.com 10/30/2012 No response, disclosure

References:

http://www.girlinthemiddle.net/
http://seclists.org/oss-sec/2012/q4/203


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top