Open-AuditIT Professional 2.1 Cross Site Scripting

🗓️ 28 Mar 2018 00:00:00Reported by Nilesh SapariyaType

packetstorm🔗 packetstormsecurity.com👁 35 Views

Open-AuditIT Professional 2.1 Stored Cross-Site Scripting (XSS) vulnerabilit

Reporter	Title	Published	Views	Family All 11
0day.today	Open-AuditIT Professional 2.1 - Cross-Site Scripting Vulnerability	29 Mar 201800:00	–	zdt
ATTACKERKB	CVE-2018-8903	22 Mar 201821:29	–	attackerkb
CNVD	Open-AudIT Professional Cross-Site Scripting Vulnerability	28 Mar 201800:00	–	cnvd
CVE	CVE-2018-8903	22 Mar 201821:00	–	cve
Cvelist	CVE-2018-8903	22 Mar 201821:00	–	cvelist
Exploit DB	Open-AuditIT Professional 2.1 - Cross-Site Scripting	28 Mar 201800:00	–	exploitdb
EUVD	EUVD-2018-20511	7 Oct 202500:30	–	euvd
exploitpack	Open-AuditIT Professional 2.1 - Cross-Site Scripting	28 Mar 201800:00	–	exploitpack
NVD	CVE-2018-8903	22 Mar 201821:29	–	nvd
OSV	CVE-2018-8903	22 Mar 201821:29	–	osv

`# Exploit Title: Open-AuditIT Professional 2.1 - Stored Cross site scripting (XSS)  
# Date: 27-03-2018  
# Exploit Author: Nilesh Sapariya  
# Contact: https://twitter.com/nilesh_loganx  
# Website: https://nileshsapariya.blogspot.com  
# Vendor Homepage: https://www.open-audit.org/  
# Version: 2.1  
# CVE : CVE-2018-8903  
# Category: Webapp Open-AuditIT Professional 2.1  
  
  
1. Description:-  
It was observed that attacker is able to inject a malicious script in the  
Application. As server is not filtering the inputs provided by an attacker  
and the script executes in the victim browser when he tries to visit the  
page  
  
  
2. Proof of Concept  
Login into Open-AuditIT Professional 2.1  
1] Go to Home ==> Credentials  
2] Enter XSS payload in Name and Description Field  
"><img src=x onerror=alert(1337);>  
3] Click on Submit  
Visi this page :-  
http://localhost/omk/open-audit/credentials  
  
aa3] POCs and steps:  
https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html  
  
`

28 Mar 2018 00:00Current

5.6Medium risk

Vulners AI Score5.6

EPSS0.00188