[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Achievo 1.4.2 Permanent Cross-Site Scripting

Author
Nahuel Grisolia
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10088
Category
web applications
Date add
04-12-2009
Platform
unsorted
============================================
Achievo 1.4.2 Permanent Cross-Site Scripting
============================================

Affected Platforms: Any running Achievo
 
Severity: Medium – CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
 
Vendor Status: New release available (Achievo 1.4.3)
 
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
 
Vulnerability Description:
 
A permanent Cross Site Scripting vulnerability was found in Achievo 1.4.2, because the application
fails to sanitize user-supplied input. The vulnerability can be triggered by any logged-in user who is
able to add a Scheduler Category.
 
Proof of Concept:
 
 
* Add <script>alert(“XSS in Category”);</script> as a new category. Then, browse the Scheduler.
 
 
Impact:
 
An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an
attacker may obtain authorization cookies that would allow him to gain unauthorized access to the
application.
 
Solution:
 
New category is now correctly sanitized.
 
Vendor Response:
2009-12-03 – Vulnerability was identified
2009-12-03 – Vendor contacted
2009-12-03 – Vendor confirmed vulnerability
2009-12-03 – Vendor released fixed version
2009-12-04 – Vulnerability published



#  0day.today [2024-12-25]  #