Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRanjeet JaiswalPACKETSTORM:148590
HistoryJul 18, 2018 - 12:00 a.m.

Open-AudIT Community 2.1.1 Cross Site Scripting

2018-07-1800:00:00
Ranjeet Jaiswal
packetstormsecurity.com
23

EPSS

0.001

Percentile

43.0%

JSON
`#######################################  
# Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability  
# Google Dork:NA  
# #######################################  
# Exploit Author: Ranjeet Jaiswal#  
#######################################  
# Vendor Homepage: https://opmantek.com/  
# Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64-  
release_2.2.1.exe  
# Affected Version: 2.1.1  
# Category: WebApps  
# Tested on: Windows 10  
# CVE : CVE-2018-11124  
#  
# 1. Vendor Description:  
#  
# Network Discovery and Inventory Software | Open-AudIT | Opmantek  
Discover what's on your network  
Open-AudIT is the world's leading network discovery, inventory and audit  
program. Used by over 10,000 customers.  
#  
# 2. Technical Description:  
#  
# Cross-site scripting (XSS) vulnerability in Attributes functionality in  
Open-AudIT Community edition before 2.2.2 allows remote attackers to inject  
arbitrary web script or HTML via a crafted attribute name of a Attribute,  
as demonstrated in below POC.  
#  
# 3. Proof Of Concept:  
  
3.1. Proof of Concept for Injecting html contain  
  
# #Step to reproduce.  
Step1:Login in to Open-Audit  
Step2:Go to Attributes page  
Step3:Select any attribute which are listed  
Step4:click on details tab.  
Step5:In the Name field put the following payload and click submit.  
  
<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/">  
Open-Audit</a></p>  
  
Step6:Go to export tab and export using HTML Table  
Step7:When user open download attribute.html file.You will see redirection  
hyperlink.  
Step8:When user click on link ,User will be redirected to Attacker or  
malicious website.  
  
3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS))  
  
# #Step to reproduce.  
Step1:Login in to Open-Audit  
Step2:Go to Attributes page  
Step3:Select any attribute which are listed  
Step4:click on details tab.  
Step5:In the Name field put the following payload and click submit.  
  
<script>alert(hack)</script>  
  
Step6:Go to export tab and export using HTML Table  
Step7:When user open download attribute.html file.Alert Popup will execute.  
  
  
  
# 4. Solution:  
#  
# Upgrade to latest release of Open-AudIT version  
# https://opmantek.com/network-tools-download/open-audit/  
  
`

Related

cvelist 1
exploitdb 1
nvd 1
openvas 1
zdt 1
cve 1
exploitpack 1
osv 1
prion 1
cvelist
cvelist
CVE-2018-11124
2018-07-06 14:00:00
exploitdb
exploitdb
Open-AudIT Community 2.1.1 - Cross-Site Scripting
2018-07-18 00:00:00
nvd
nvd
CVE-2018-11124
2018-07-06 14:29:00
openvas
openvas
Open-AudIT Community 'Attributes' Functionality Cross Site Scripting Vulnerability
2018-07-16 00:00:00
zdt
zdt
Open-AudIT Community 2.1.1 - Cross-Site Scripting Vulnerability
2018-07-19 00:00:00
cve
cve
CVE-2018-11124
2018-07-06 14:29:00
exploitpack
exploitpack
Open-AudIT Community 2.1.1 - Cross-Site Scripting
2018-07-18 00:00:00
osv
osv
CVE-2018-11124
2018-07-06 14:29:00
prion
prion
Cross site scripting
2018-07-06 14:29:00

EPSS

0.001

Percentile

43.0%

JSON
Related for PACKETSTORM:148590
cvelist1exploitdb1nvd1openvas1zdt1cve1exploitpack1osv1prion1