Exploit eGroupWare 1.0 Calendar Module - 'date' Cross-Site Scripting

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
24403
Проверка EDB
  1. Пройдено
Автор
JOXEAN KORET
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2004-1467
Дата публикации
2004-08-23
eGroupWare 1.0 Calendar Module - 'date' Cross-Site Scripting
Код:
source: https://www.securityfocus.com/bid/11013/info

It is reported that eGroupWare is susceptible to multiple cross-site scripting and HTML injection vulnerabilities.

The cross-site scripting issues present themselves in the various parameters of the 'addressbook' and 'calendar' modules. It is also reported that data input through the 'Search' fields of the 'addressbook', 'calendar', and 'search between projects' functionality are not sufficiently sanitized.

An attacker can exploit these issues for theft of cookie-based authentication credentials and other attacks.

Additionally HTML injection vulnerabilities are reported for the eGroupWare 'Messenger' module and 'Ticket' module.

Attackers may potentially exploit these issues to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

http://www.example.com/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701"><script>alert(document.cookie)</script
 
Источник
www.exploit-db.com

Похожие темы