4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.893 High
EPSS
Percentile
98.8%
# Exploit Title: Open-AudIT Community 2.2.6 - Cross-Site Scripting
# Google Dork:NA
# Exploit Date: 2018-08-01
# Exploit Author: Ranjeet Jaiswal
# Vendor Homepage: https://opmantek.com/
# Software Link:https://opmantek.com/network-tools-download/open-audit/
# Affected Version: 2.2.6
# Category: WebApps
# Tested on: Windows 10
# CVE : CVE-2018-14493
# 1. Vendor Description:
# Network Discovery and Inventory Software | Open-AudIT | Opmantek
# Discover what's on your network
# Open-AudIT is the world's leading network discovery, inventory and audit
# program. Used by over 10,000 customers.
# 2. Technical Description:
# Cross-site scripting (XSS) vulnerability on Groups Page in Open-AudIT
# Community edition in 2.2.6 allows remote attackers to inject arbitrary web
# script or HTML in group name,as demonstrated in below POC.
# 3. Proof Of Concept:
# 3.1. Proof of Concept for Injecting html contain
# Step to reproduce.
# Step1:Login in to Open-Audit
# Step2:Go to Group page
# Step3:Select any group which are listed
# Step4:click on "Details tab".
# Step5:In the Name field put the following payload and saveit.
<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/
">Open-Audit</a></p>
# Step6:Click on "View Tab" in which payload is put.
# Step7:When user Click on View Tab.User will see redirection hyperlink.
# Step8:When user click on link ,User will be redirected to Attacker or
# malicious website.
# 3.2. Proof of Concept for Injecting web script(Cross-site scripting)
# #Step to reproduce.
# Step1:Login in to Open-Audit
# Step2:Go to Groups page
# Step3:Select any group which are listed
# Step4:click on "Details tab" in which payload is put.
# Step5:In the Name field put the following payload and Saveit.
<script>alert(hack)</script>
# Step6:Click on "View Tab" of group in which payoad is put.
# Step7:When user Click on View Tab an Alert Popup will execute.
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.893 High
EPSS
Percentile
98.8%