FAB-UI icon indicating copy to clipboard operation
FAB-UI copied to clipboard

Published 20 hours ago verified publisher icon FABtotum

FAB-UI – Multiple Cross-Site Scripting (XSS) in “jog.php”

Open bestshow opened this issue 7 years ago • 1 comments

Product: FAB-UI Download: https://github.com/FABtotum/FAB-UI Vunlerable Version: 0.986 and probably prior Tested Version: 0.986 Author: ADLab of Venustech

Advisory Details: Multiple Cross-Site Scripting (XSS) were discovered in“FAB-UI 0.986”, which can be exploited to execute arbitrary code. The vulnerabilities exist due to insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to the “FAB-UI-master/recovery/jog.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox: Poc: (1) Post: feed=" /><input type="text To http://localhost/github12/zip/FABtotum_master/FAB-UI-master/recovery/jog.php

bestshow avatar Mar 09 '17 13:03 bestshow

Excuse me, is there anyone dealing with this issue?

bestshow avatar Mar 22 '17 17:03 bestshow