[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Stored XSS In Hyland's Enterprise Search
From: johnkennedy () discreet ! email
Date: 2020-12-29 13:19:50
Message-ID: 4717c000f7747bbd2d275a51f2c3722a () discreet ! email
[Download RAW message or body]
The admin console's event viewer displays logged event data inside of
<pre></pre> tags. An attack string like
"</pre><script>alert('hi')</script>" in any place across Enterprise
Search that will cause an error, like instead of a number or for the
username on the login page or through the new Federated Authentication,
will then be stored in the event log. The payload will execute each time
someone view the logs in the admin console.
Tested version: 11.2.2
Product URL:
https://www.hyland.com/en/platform/product-suite/enterprise-search
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic