[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request - itdb 1.23  Cross-Site Scripting (XSS)
From:       haojun hou <haojunhou () gmail ! com>
Date:       2016-11-24 7:24:04
Message-ID: 92067071-434D-4B7B-BF05-39E1BD7FE449 () gmail ! com
[Download RAW message or body]


Hi:
itdb 1.23 - Cross-Site Scripting (XSS) 

Procuct: IT Items DataBase

Vendor: ITDB http://www.sivann.gr/software/itdb/

Vunlerable Version: 1.23 and probably prior

Tested Version: 1.23

Author: Haojun Hou in ADLab of Venustech


Advisory Details:

Haojun Hou in ADLab of Venustech discovered a Cross-Site Scripting (XSS) in itdb <>, which can \
be exploited to add,modify or delete information in application`s database and gain complete \
control over the application.



The vulnerability exists due to insufficientfiltration of user-supplied data in ˇ°valueˇ± HTTP \
POST parameter passed to \
ˇ°itdb-1.23/js/DataTables-1.8.2/examples/examples_support/editable_ajax.phpˇ± url. An attacker \
could execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to see a  pop-up \
messagebox:

POST value="><script>alert(1);</script><"

http://localhost/itdb-1.23/js/DataTables-1.8.2/examples/examples_support/editable_ajax.php \
<http://localhost/itdb-1.23/js/DataTables-1.8.2/examples/examples_support/editable_ajax.php>

Could you please help me assign a  CVE for this issue?

 



[prev in list] [next in list] [prev in thread] [next in thread]