0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Permanent Cross-Site Scripting (XSS) in FreePBX 2.5.x – 2.6.0
[============================================================= Permanent Cross-Site Scripting (XSS) in FreePBX 2.5.x – 2.6.0 ============================================================= Advisory Name: Permanent Cross-Site Scripting (XSS) in FreePBX 2.5.x – 2.6.0 Internal Cybsec Advisory Id: 2010-0102 Vulnerability Class: Permanent Cross-Site Scripting (XSS) Release Date: 15/01/2010 Affected Applications: Confirmed in FreePBX 2.5.x and 2.6.0 - Other versions may also be affected Affected Platforms: Any running FreePBX 2.5.x and 2.6.0 Local / Remote: Remote Severity: Medium – CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Researcher: Ivan Huertas Vendor Status: Patched Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: A permanent Cross Site Scripting vulnerability was found in FreePBX 2.5.x and 2.6, because the application fails to sanitize user-supplied input. The vulnerability can be triggered by any logged-in user who is able to add an Inbound Route. Proof of Concept: * Add as a Description in an Inbound Route. Impact: An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application. Solution: Upgrade to the latest version • http://www.freepbx.org/v2/changeset/8589 • http://www.freepbx.org/v2/changeset/8590 • http://www.freepbx.org/v2/changeset/8591 Vendor Response: 2009-30-12 – Vulnerability was identified 2010-01-07 – Vendor contacted 2010-01-11 – Vendor confirmed vulnerability 2010-01-14 – Vendor released fixed version 2010-01-15 – Vulnerability published # 0day.today [2024-09-28] #