SSCHADV2011-033 - Metasploit 4.1.0 Web UI stored XSS vulnerability
Advisory:
|
Metasploit 4.1.0 Web UI stored XSS vulnerability
|
Advisory ID:
|
SSCHADV2011-033
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on Metasploit 4.1.0
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
EDB-ID:
|
18012
|
======================
Vulnerability Description:
======================
Metasploit Web UI "project[name]" parameter is prone to a XSS vulnerability
==============
Technical Details:
==============
Technical Details:
==============
Login to Web UI -> Create New Project -> Project name -> ‘"</script><script>alert(document.cookie)</script>
|
=====
Solution:
=====
https://dev.metasploit.com/redmine/projects/pro/wiki/Release_Notes_400_20111020000001
================
Disclosure Timeline:
================
19-Oct-2011 – informed developers
20-Oct-2011 – fixed by vendor
20-Oct-2011 – release date of this security advisory
21-Oct-2011 – post on BugTraq
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://metasploit.com/
http://dev.metasploit.com/redmine/issues/5801
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://metasploit.com/
http://dev.metasploit.com/redmine/issues/5801
Comments
Display comments as Linear | Threaded