| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFzAN85+SMVfYh7p5_Ct4miY8EudURjSERLOaAT4JGDyces+ng@mail.gmail.com> Date: Tue, 28 Jan 2025 13:43:53 +0400 From: Shaikh Shahnawaz <sshahnawaz99910@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Quorum onQ OS - 6.0.0.5.2064 | Reflected Cross Site Scripting (XSS) | CVE-2024-44449 [+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC [+] twitter.com/_striv3r_ [Vendor] https://quorum.com/about/ [Product] Quorum onQ OS - 6.0.0.5.2064 Vulnerability Type] Reflected Cross Site Scripting (XSS) [Affected Component] Login page get parameter 'msg' is vulnerable to Reflected Cross site scripting [CVE Reference] CVE-2024-44449 [Security Issue] Cross Site Scripting vulnerability in Quorum onQ OS v.6.0.0.5.2064 allows a remote attacker to obtain sensitive information via the msg parameter in the Login page. [Attack Vectors] After obtaining the API key, an attacker can use tools such as curl, Postman, or custom scripts to craft unauthorized requests to the target API. [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: July 20, 2024 Vendor released fixed: September 13, 2024 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists