CaseAware Cross Site Scripting

2017.05.20
Credit: justpentest
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: CaseAware Cross Site Scripting Vulnerability # Date: 20th May 2017 # Exploit Author: justpentest # Vendor Homepage: https://caseaware.com/ # Version: All the versions # Contact: transform2secure@gmail.com # CVE : 2017-5631 Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle 1) Description: An issue with respect to input sanitization was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string. So bascially username parameter is vulnerable to XSS. 2) Exploit: https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'><a HREF="javascript:alert('OPENBUGBOUNTY')">Click_ME<' ---------------------------------------------------------------------------------------- 3) References: https://www.openbugbounty.org/incidents/228262/ https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle -- Thanks and Regards. Hashim Shaikh. http://justpentest.blogspot.in/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top