Open-AuditIT Professional 2.1 Cross-Site Scripting

2018.03.29
Credit: Nilesh Sapariya
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2018-8903
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Open-AuditIT Professional 2.1 - Stored Cross site scripting (XSS) # Date: 27-03-2018 # Exploit Author: Nilesh Sapariya # Contact: https://twitter.com/nilesh_loganx # Website: https://nileshsapariya.blogspot.com # Vendor Homepage: https://www.open-audit.org/ # Version: 2.1 # CVE : CVE-2018-8903 # Category: Webapp Open-AuditIT Professional 2.1 1. Description:- It was observed that attacker is able to inject a malicious script in the Application. As server is not filtering the inputs provided by an attacker and the script executes in the victim browser when he tries to visit the page 2. Proof of Concept Login into Open-AuditIT Professional 2.1 1] Go to Home ==> Credentials 2] Enter XSS payload in Name and Description Field "><img src=x onerror=alert(1337);> 3] Click on Submit Visi this page :- http://localhost/omk/open-audit/credentials ​​3] POCs and steps: https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html

References:

https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top