Lucene search
High-Tech BridgeHTB23174HistorySep 18, 2013 - 12:00 a.m.
Cross-Site Scripting (XSS) in Feng Office
2013-09-1800:00:00
High-Tech Bridge
www.htbridge.com
36
0.002 Low
EPSS
Percentile
59.8%
High-Tech Bridge Security Research Lab discovered vulnerability in Feng Office, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.
- Cross-Site Scripting (XSS) in Feng Office: CVE-2013-5744
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in “ref_[any]” HTTP GET parameter passed to “/index.php” script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript “alert()” function to display user’s cookies:
http://[host]/index.php?c=access&a=login&ref_abc=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
| CPE | Name | Operator | Version |
|---|---|---|---|
| feng office | le | 2.3.2-rc |
Related
packetstorm
packetstorm
Feng Office 2.3.2-rc Cross Site Scripting
2013-10-09 00:00:00
cve
cve
CVE-2013-5744
2022-10-03 16:14:55
zdt
zdt
Feng Office 2.3.2-rc Cross Site Scripting Vulnerability
2013-10-10 00:00:00
securityvulns
securityvulns
Cross-Site Scripting (XSS) in Feng Office
2013-10-13 00:00:00
prion
prion
Cross site scripting
2013-10-28 22:55:00
nvd
nvd
CVE-2013-5744
2013-10-28 22:55:03
cvelist
cvelist
CVE-2013-5744
2022-10-03 16:14:55
openvas
openvas
Feng Office ref_XXX XSS Vulnerability
2013-11-05 00:00:00