Serenity Client Management Portal 1.0.1 Cross Site Scripting

2014.11.14
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Serenity Client Management Portal Multiple Vulnerabilities # Date: 08-10-2014 # Exploit Author: Halil Dalabasmaz # Version: v1.0.1 # Software Link: http://codecanyon.net/item/serenity-client-management-portal/9136098 # Software Test Link: http://www.zenperfectdesign.com/demo/serenity-cc/ # Vulnerabilities Description: ===Unrestricted File Upload=== Login to system and go to "Profile" section. Now you can upload any file or shell file from "Profile Image" section. Solution Filter the files aganist to attacks. === ===Stored XSS=== Login to system and go to "Profile" section. Now you can run any XSS payloads on all profile inputs. Sample Payload for XSS: "><script>alert(document.cookie);</script> Solution Filter the files aganist to attacks.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top