0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Open-AudIT Community 2.1.1 - Cross-Site Scripting Vulnerability
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
####################################### # Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability # Google Dork:NA # ####################################### # Exploit Author: Ranjeet Jaiswal# ####################################### # Vendor Homepage: https://opmantek.com/ # Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64- release_2.2.1.exe # Affected Version: 2.1.1 # Category: WebApps # Tested on: Windows 10 # CVE : CVE-2018-11124 # # 1. Vendor Description: # # Network Discovery and Inventory Software | Open-AudIT | Opmantek Discover what's on your network Open-AudIT is the world's leading network discovery, inventory and audit program. Used by over 10,000 customers. # # 2. Technical Description: # # Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of a Attribute, as demonstrated in below POC. # # 3. Proof Of Concept: 3.1. Proof of Concept for Injecting html contain # #Step to reproduce. Step1:Login in to Open-Audit Step2:Go to Attributes page Step3:Select any attribute which are listed Step4:click on details tab. Step5:In the Name field put the following payload and click submit. <p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/"> Open-Audit</a></p> Step6:Go to export tab and export using HTML Table Step7:When user open download attribute.html file.You will see redirection hyperlink. Step8:When user click on link ,User will be redirected to Attacker or malicious website. 3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS)) # #Step to reproduce. Step1:Login in to Open-Audit Step2:Go to Attributes page Step3:Select any attribute which are listed Step4:click on details tab. Step5:In the Name field put the following payload and click submit. <script>alert(hack)</script> Step6:Go to export tab and export using HTML Table Step7:When user open download attribute.html file.Alert Popup will execute. # 4. Solution: # # Upgrade to latest release of Open-AudIT version # https://opmantek.com/network-tools-download/open-audit/ # 0day.today [2024-11-15] #