DB: 2020-06-25
1 changes to exploits/shellcodes BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting
This commit is contained in:
parent
b8629afe42
commit
e48d268df5
2 changed files with 22 additions and 0 deletions
21
exploits/multiple/webapps/48619.txt
Normal file
21
exploits/multiple/webapps/48619.txt
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Exploit title: BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting
|
||||
# Exploit Author: William Summerhill
|
||||
# Date: 2020-06-22
|
||||
# Vendor homepage: https://www.globalradar.com/
|
||||
# Tested on: Window
|
||||
# CVE-2020-14943
|
||||
|
||||
# Description: The "Firstname" and "Lastname" parameters in Global RADAR BSA Radar 1.6.7234.X
|
||||
# are vulnerable to a stored Cross-Site Scripting (XSS) via the Update User Profile feature
|
||||
# (in the top-right of the application).
|
||||
|
||||
# Proof of Concept:
|
||||
|
||||
Using the "update user profile" feature in the top-right of the application while logged in,
|
||||
a malicious user can inject malicious, unencoded scripts, such as "<script>alert(1)</script>",
|
||||
into the Firstname and Lastname parameters of a user account. This stored XSS will execute on
|
||||
nearly every application page as these parameters are always present while logged in. This attack
|
||||
can be further leveraged by utilizing an existing authorization bypass exploit (CVE-2020-14944)
|
||||
to inject stored XSS payloads into these parameters for arbitrary existing user accounts.
|
||||
|
||||
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14943
|
|
@ -42875,3 +42875,4 @@ id,file,description,date,author,type,platform,port
|
|||
48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
|
||||
48615,exploits/php/webapps/48615.txt,"Responsive Online Blog 1.0 - 'id' SQL Injection",2020-06-23,"Eren Şimşek",webapps,php,
|
||||
48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,
|
||||
48619,exploits/multiple/webapps/48619.txt,"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting",2020-06-24,"William Summerhill",webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue