Akeneo PIM Cross Site Scripting

2015.02.27

Credit: Provensec

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Affected software: Akeneo Online Demo
# Type of vulnerability: stored xss
# URL: http://www.akeneo.com/demo/
# Discovered by: Provensec
# Website: http://www.provensec.com
# Description:Akeneo is an open source Product Information Management
(PIM) system designed for retailers looking for efficient answers to
their multichannel needs.
# Proof of concept

username field of profile section was vulnerable to stored xss

http://demo.akeneo.com/#url=/user/profile/edit

edit the Username with payload "><img src=d onerror=confirm(1);> and
java script will execute

#screen http://prntscr.com/69ywwr

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Akeneo PIM Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Akeneo PIM Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.