Product: FAB-UI
Download: https://github.com/FABtotum/FAB-UI
Vunlerable Version: 0.986 and probably prior
Tested Version: 0.986
Author: ADLab of Venustech
Advisory Details:
Multiple Cross-Site Scripting (XSS) were discovered in“FAB-UI 0.986”, which can be exploited to execute arbitrary code.
The vulnerabilities exist due to insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to the “FAB-UI-master/recovery/jog.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
(1)
Post: feed=" /><script>alert(1);</script><script>alert(1);</script><input type="text
To
http://localhost/github12/zip/FABtotum_master/FAB-UI-master/recovery/jog.php
Product: FAB-UI
Download: https://github.com/FABtotum/FAB-UI
Vunlerable Version: 0.986 and probably prior
Tested Version: 0.986
Author: ADLab of Venustech
Advisory Details:
Multiple Cross-Site Scripting (XSS) were discovered in“FAB-UI 0.986”, which can be exploited to execute arbitrary code.
The vulnerabilities exist due to insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to the “FAB-UI-master/recovery/jog.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
(1)
Post: feed=" /><script>alert(1);</script><script>alert(1);</script><input type="text
To
http://localhost/github12/zip/FABtotum_master/FAB-UI-master/recovery/jog.php