search

FABtotum / FAB-UI

The FABtotum User Interface Repo
http://www.fabtotum.com
GNU General Public License v2.0
23 stars 30 forks source link

FAB-UI – Multiple Cross-Site Scripting (XSS) in “jog.php” #38

Open bestshow opened 7 years ago

bestshow commented 7 years ago

Product: FAB-UI Download: https://github.com/FABtotum/FAB-UI Vunlerable Version: 0.986 and probably prior Tested Version: 0.986 Author: ADLab of Venustech

Advisory Details: Multiple Cross-Site Scripting (XSS) were discovered in“FAB-UI 0.986”, which can be exploited to execute arbitrary code. The vulnerabilities exist due to insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to the “FAB-UI-master/recovery/jog.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox: Poc: (1) Post: feed=" /><input type="text To http://localhost/github12/zip/FABtotum_master/FAB-UI-master/recovery/jog.php

bestshow commented 7 years ago

Excuse me, is there anyone dealing with this issue?