Lucene search

K
htbridgeHigh-Tech BridgeHTB23221
HistoryJun 25, 2014 - 12:00 a.m.

Reflected Cross-Site Scripting (XSS) in MyWebSQL

2014-06-2500:00:00
High-Tech Bridge
www.htbridge.com
27

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

66.3%

High-Tech Bridge Security Research Lab discovered vulnerability in MyWebSQL, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

  1. Reflected Cross-Site Scripting (XSS) in MyWebSQL: CVE-2014-4735

The vulnerability is caused by insufficient sanitization of the “table” HTTP GET parameter passed to “/index.php” script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of vulnerable website. Further exploitation of this vulnerability may grant an attacker full access to the website’s databases and get complete control over it.

The following exploitation example uses the alert() JavaScript function to display “immuniweb” word:

http://[host]/?q=wrkfrm&type=exporttbl&table=%27;%3C/script%3E%3Cscript%3Eal ert%28%27immuniweb%27%29;%3C/script%3E

CPENameOperatorVersion
mywebsqlle3.4

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

66.3%

Related for HTB23221