Open-AuditIT Professional 2.1 - Cross-Site Scripting

EDB-ID: 44354
Author: Nilesh Sapariya
Published: 2018-03-28
CVE: CVE-2018-8903
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 27-03-2018 
# Exploit Author: Nilesh Sapariya
# Contact: https://twitter.com/nilesh_loganx
# Website: https://nileshsapariya.blogspot.com
# Vendor Homepage: https://www.open-audit.org/
# Version: 2.1
# CVE : CVE-2018-8903
# Category: Webapp Open-AuditIT Professional 2.1


1. Description:-
It was observed that attacker is able to inject a malicious script in the
Application. As server is not filtering the inputs provided by an attacker
and the script executes in the victim browser when he tries to visit the
page


2. Proof of Concept
Login into Open-AuditIT Professional 2.1
1] Go to Home ==> Credentials
2] Enter XSS payload in Name and Description Field
"><img src=x onerror=alert(1337);>
3] Click on Submit
Visi this page :-
http://localhost/omk/open-audit/credentials

​​3] POCs and steps:
https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html

Related Posts