Lucene search
K

clientResponse Client Management 4.1 - Cross-Site Scripting

🗓️ 15 Nov 2014 00:00:00Reported by Halil DalabasmazType 
exploitpack
 exploitpack
👁 18 Views

clientResponse Client Management 4.1 XSS Vulnerability - Stored XSS in Message System & Profile Section - Filter Input Field

Code
# Exploit Title: clientResponse Client Management XSS Vulnerability
# Date: 14-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v4.1
# Vendor Homepage:
http://codecanyon.net/item/clientresponse-responsive-php-client-management/3797780
# Tested on: Chrome & Iceweasel

# Vulnerability Description:

===Stored XSS===
The message system of script is not secure. You can run XSS payloads on
"Subject" and "Message" inputs. If you use "Subject" input for attack and
send the message to admin when admin login the system it will be directly
affect by vulnerability. Also profile section inputs are vulnerable.

Sample Payload for Stored XSS: "><script>alert(document.cookie);</script>

=Solution=
Filter the input fields against to XSS attacks.
================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation