| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201110210605.p9L65ERa032155@sf01web1.securityfocus.com> Date: Fri, 21 Oct 2011 06:05:14 GMT From: sschurtz@...nline.de To: bugtraq@...urityfocus.com Subject: Metasploit 4.1.0 Web UI stored XSS vulnerability Advisory: Metasploit 4.1.0 Web UI stored XSS vulnerability Advisory ID: SSCHADV2011-033 Author: Stefan Schurtz Affected Software: Successfully tested on Metasploit Community Edition Vendor URL: http://metasploit.com/ Vendor Status: fixed EDB-ID: 18012 ========================== Vulnerability Description: ========================== Metasploit 4.1.0 Web UI "project[name]" parameter is prone to a XSS vulnerability ================== Technical Details: ================== Login to Web UI -> Create New Project -> Project name -> '"</script><script>alert(document.cookie)</script> ========= Solution: ========= http://dev.metasploit.com/redmine/projects/pro/wiki/Release_Notes_400_20111020000001 ==================== Disclosure Timeline: ==================== 19-Oct-2011 - informed developers 20-Oct-2011 - fixed by vendor 20-Oct-2011 - release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Stefan Schurtz. =========== References: =========== http://metasploit.com/ http://dev.metasploit.com/redmine/issues/5801 http://www.rul3z.de/advisories/SSCHADV2011-033.txt
Powered by blists - more mailing lists