0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Achievo 1.4.2 Permanent Cross-Site Scripting
============================================ Achievo 1.4.2 Permanent Cross-Site Scripting ============================================ Affected Platforms: Any running Achievo Severity: Medium – CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Vendor Status: New release available (Achievo 1.4.3) Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: A permanent Cross Site Scripting vulnerability was found in Achievo 1.4.2, because the application fails to sanitize user-supplied input. The vulnerability can be triggered by any logged-in user who is able to add a Scheduler Category. Proof of Concept: * Add <script>alert(“XSS in Categoryâ€);</script> as a new category. Then, browse the Scheduler. Impact: An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application. Solution: New category is now correctly sanitized. Vendor Response: 2009-12-03 – Vulnerability was identified 2009-12-03 – Vendor contacted 2009-12-03 – Vendor confirmed vulnerability 2009-12-03 – Vendor released fixed version 2009-12-04 – Vulnerability published # 0day.today [2024-12-25] #