[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request - itdb 1.23 Cross-Site Scripting (XSS)
From: haojun hou <haojunhou () gmail ! com>
Date: 2016-11-24 7:24:04
Message-ID: 92067071-434D-4B7B-BF05-39E1BD7FE449 () gmail ! com
[Download RAW message or body]
Hi:
itdb 1.23 - Cross-Site Scripting (XSS)
Procuct: IT Items DataBase
Vendor: ITDB http://www.sivann.gr/software/itdb/
Vunlerable Version: 1.23 and probably prior
Tested Version: 1.23
Author: Haojun Hou in ADLab of Venustech
Advisory Details:
Haojun Hou in ADLab of Venustech discovered a Cross-Site Scripting (XSS) in itdb <>, which can \
be exploited to add,modify or delete information in application`s database and gain complete \
control over the application.
The vulnerability exists due to insufficientfiltration of user-supplied data in ˇ°valueˇ± HTTP \
POST parameter passed to \
ˇ°itdb-1.23/js/DataTables-1.8.2/examples/examples_support/editable_ajax.phpˇ± url. An attacker \
could execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up \
messagebox:
POST value="><script>alert(1);</script><"
http://localhost/itdb-1.23/js/DataTables-1.8.2/examples/examples_support/editable_ajax.php \
<http://localhost/itdb-1.23/js/DataTables-1.8.2/examples/examples_support/editable_ajax.php>
Could you please help me assign a CVE for this issue?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic