Vulners
Lucene search
Open-AudIT Community 2.1.1 Cross Site Scripting
🗓️ 18 Jul 2018 00:00:00Reported by Ranjeet JaiswalType 
packetstorm🔗 packetstormsecurity.com👁 32 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Open-AudIT Community 2.1.1 - Cross-Site Scripting Vulnerability | 19 Jul 201800:00 | – | zdt |
 | Open-AudIT Cross-Site Scripting Vulnerability (CNVD-2018-12810) | 9 Jul 201800:00 | – | cnvd |
 | CVE-2018-11124 | 6 Jul 201814:00 | – | cve |
 | CVE-2018-11124 | 6 Jul 201814:00 | – | cvelist |
 | Open-AudIT Community 2.1.1 - Cross-Site Scripting | 18 Jul 201800:00 | – | exploitdb |
 | EUVD-2018-3166 | 7 Oct 202500:30 | – | euvd |
 | Open-AudIT Community 2.1.1 - Cross-Site Scripting | 18 Jul 201800:00 | – | exploitpack |
 | CVE-2018-11124 | 6 Jul 201814:29 | – | nvd |
 | Open-AudIT Community 'Attributes' Functionality Cross Site Scripting Vulnerability | 16 Jul 201800:00 | – | openvas |
 | Cross site scripting | 6 Jul 201814:29 | – | prion |
10
`#######################################
# Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability
# Google Dork:NA
# #######################################
# Exploit Author: Ranjeet Jaiswal#
#######################################
# Vendor Homepage: https://opmantek.com/
# Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64-
release_2.2.1.exe
# Affected Version: 2.1.1
# Category: WebApps
# Tested on: Windows 10
# CVE : CVE-2018-11124
#
# 1. Vendor Description:
#
# Network Discovery and Inventory Software | Open-AudIT | Opmantek
Discover what's on your network
Open-AudIT is the world's leading network discovery, inventory and audit
program. Used by over 10,000 customers.
#
# 2. Technical Description:
#
# Cross-site scripting (XSS) vulnerability in Attributes functionality in
Open-AudIT Community edition before 2.2.2 allows remote attackers to inject
arbitrary web script or HTML via a crafted attribute name of a Attribute,
as demonstrated in below POC.
#
# 3. Proof Of Concept:
3.1. Proof of Concept for Injecting html contain
# #Step to reproduce.
Step1:Login in to Open-Audit
Step2:Go to Attributes page
Step3:Select any attribute which are listed
Step4:click on details tab.
Step5:In the Name field put the following payload and click submit.
<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/">
Open-Audit</a></p>
Step6:Go to export tab and export using HTML Table
Step7:When user open download attribute.html file.You will see redirection
hyperlink.
Step8:When user click on link ,User will be redirected to Attacker or
malicious website.
3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS))
# #Step to reproduce.
Step1:Login in to Open-Audit
Step2:Go to Attributes page
Step3:Select any attribute which are listed
Step4:click on details tab.
Step5:In the Name field put the following payload and click submit.
<script>alert(hack)</script>
Step6:Go to export tab and export using HTML Table
Step7:When user open download attribute.html file.Alert Popup will execute.
# 4. Solution:
#
# Upgrade to latest release of Open-AudIT version
# https://opmantek.com/network-tools-download/open-audit/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jul 2018 00:00Current
5.5Medium risk
Vulners AI Score5.5
EPSS0.00194