EXPECTED BEHAVIOUR
An authenticated malicious user can take advantage of a Reflected XSS vulnerability with navigate-quickse parameter in URL and affect many modules.
IMPACT
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
VULNERABILITY CODE
I found the vulnerability code in many files. Because initial_url is built in these files.
After that initial_url is used in \lib\layout\navitable.class.php file to build HTML.
STEPS TO REPRODUCE
We change the request and send the link to user
GET /navigate-2.9.3r1525/navigate/navigate.php?fid=websites&act=list&quicksearch=true&navigate-quicksearch=0"})%3b+alert("XSS")%3b$("%23websites_list").jqGrid({//
People who already login and click to the link above.
When loading the page then the Reflected XSS is executed.
EXPECTED BEHAVIOUR An authenticated malicious user can take advantage of a Reflected XSS vulnerability with navigate-quickse parameter in URL and affect many modules.
IMPACT Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
VULNERABILITY CODE I found the vulnerability code in many files. Because initial_url is built in these files.
After that initial_url is used in \lib\layout\navitable.class.php file to build HTML.
STEPS TO REPRODUCE
GET /navigate-2.9.3r1525/navigate/navigate.php?fid=websites&act=list&quicksearch=true&navigate-quicksearch=0"})%3b+alert("XSS")%3b$("%23websites_list").jqGrid({//
People who already login and click to the link above.
When loading the page then the Reflected XSS is executed.