lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20151118175021.GF2705@tunkki>
Date: Wed, 18 Nov 2015 19:50:21 +0200
From: Henri Salo <henri@...v.fi>
To: "Curesec Research Team (CRT)" <crt@...esec.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] LiteCart 1.3.2: Multiple XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote:
> 2. XSS 1
> http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>
> 5. Solution
> To mitigate this issue please upgrade at least to version 1.3.3:

This seems to be the same vulnerability as CVE-2014-7183[1] found by
Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the
changelog.

1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183
2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWTLpcAAoJECet96ROqnV0p+EQAJGyeaHWzAv5kpox5JUscYh1
2lNp6oAfpVRFlE51dp2N8n36MeeLlRvaPQHBGymcm3glYdBOjK8SfW29/FzeVuJt
V0iI4XfrWQ/cQqh8bvUWqYH/HzLyH6vpQEATirHNxjGuVcNqpVhFGTAmDoJRDak1
9qwBzX5cPKlLrqAjfGIO73vfnu1yyPE3XIY4Ljw3ZZuisrL/p+MlJp6NeaLarIY6
BODzT566R2Rb6GZtSfSfToMxwR15FODts3x53A49rkHpGOYkRjriOe4y4BI2zf2G
v3fm7HZcRuEyxv4wYv3IFiRT2fkX4kWOZMSyXOt9SeRCDseiXinK3uyMF1xWFtI9
3m4imjlWg28/a2gyfkrralIFke7W/E/tnV00RnVoAuTqa7AUNWL4EtsJEKfeEUSV
tNhBS/wggt5EpBFfgDSWiZoBG1FwJ997n8AiKoQvUYNopgVboqVjWfvRmFY/RSuN
OrMqaaH2YMOxOXfttFTRC16DHKB2L/jbogc63uVENd8bBHnV/q3Am2Gu2zSwe3uN
auo0jDoaGfhrWMkehffShQAIsmq6dM6jaJwsWESsLGaG8/tBJXjxnYN0h9ArbR4O
pToMgQYdA6f24bzft56BtG+Sgc7EAfjbKNfEu+kDgPtoIFG1LghJ2cwzYR1az3n8
60Q34C0U+SIMqo87tl01
=G6+F
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists