Full Disclosure mailing list archives
Cross-site Scripting Vulnerabilities in VFront 0.99.5
From: Daniel Bishtawi <daniel () netsparker com>
Date: Tue, 28 May 2019 10:29:31 +0200
Hello, We are informing you about the vulnerabilities we reported in VFront 0.99.5. Here are the details: Advisory by Netsparker Name: Multiple Reflected Cross-site Scripting in VFront 0.99.5 Affected Software: VFront Affected Versions: 0.99.5 Homepage: http://www.vfront.org/ Vulnerability: Reflected Cross-site Scripting Severity: High Status: Fixed CVE-ID: CVE-2019-9839 CVSS Score (3.0): 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N Netsparker Advisory Reference: NS-19-002 Technical Details: URL: http://{domain}/{vfront_path}/admin/menu_registri.php Parameter Name: descrizione_g Parameter Type: POST Attack Pattern: <scRipt>alert(0x00938D)</scRipt> URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera= Parameter Name: azzera Parameter Type: GET Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0067C2)</scRipt> ------- Advisory by Netsparker Name: Stored Cross-site Scripting Vulnerability in VFront Affected Software: VFront Affected Versions: 0.99.5 Homepage: http://www.vfront.org/ Vulnerability: Stored Cross-site Scripting Severity: High Status: Fixed CVE-ID: CVE-2019-9838 CVSS Score (3.0): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Netsparker Advisory Reference: NS-19-003 Technical Details; Injection Technical Details URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera= Parameter Name: azzera Parameter Type: GET Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0067C2)</scRipt> Identification Technical Details URL: http://{domain}/{vfront_path}/admin/error_log.php For more information: - https://www.netsparker.com/web-applications-advisories/ns-19-002-reflected-cross-site-scripting-in-vfront/ - https://www.netsparker.com/web-applications-advisories/ns-19-003-stored-cross-site-scripting-in-vfront/ Regards, Daniel Bishtawi Marketing Administrator | Netsparker Web Application Security Scanner Tel: +44 (0)20 3588 3843 Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn <https://www.linkedin.com/company/netsparker-ltd> | Facebook <https://facebook.com/netsparker> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Cross-site Scripting Vulnerabilities in VFront 0.99.5 Daniel Bishtawi (May 29)