FAB-UI icon indicating copy to clipboard operation
FAB-UI copied to clipboard

Published 20 hours ago verified publisher icon FABtotum

FAB-UI – Cross-Site Scripting (XSS) in "factory.php"

Open bestshow opened this issue 7 years ago • 1 comments

Product: FAB-UI Download: https://github.com/FABtotum/FAB-UI Vunlerable Version: 0.986 and probably prior Tested Version: 0.986 Author: ADLab of Venustech

Advisory Details: A Cross-Site Scripting (XSS) was discovered in "FAB-UI 0.986", which can be exploited to execute arbitrary code. The vulnerability exists due to insufficient filtration of user-supplied data in the “callback” HTTP GET parameter passed to the “FAB-UI-master/api/factory.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox: Poc: http://localhost/.../FAB-UI-master/api/factory.php?callback=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22

bestshow avatar Mar 09 '17 13:03 bestshow

Excuse me, is there anyone dealing with this issue?

bestshow avatar Mar 22 '17 17:03 bestshow