VFront 0.99.5 Reflective Cross Site Scripting

Type packetstorm
Reporter Omer Citak
Modified 2019-05-28T00:00:00


                                            `Multiple Reflected Cross-site Scripting Vulnerabilities in VFront 0.99.5  
Advisory by Netsparker  
Name: Multiple Reflected Cross-site Scripting in VFront 0.99.5  
Affected Software: VFront  
Affected Versions: 0.99.5  
Homepage: http://www.vfront.org/  
Vulnerability: Reflected Cross-site Scripting  
Severity: High  
Status: Fixed  
CVE-ID: CVE-2019-9839  
CVSS Score (3.0): 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N  
Netsparker Advisory Reference: NS-19-002  
Technical Details  
URL: http://{domain}/{vfront_path}/admin/menu_registri.php  
Parameter Name: descrizione_g  
Parameter Type: POST  
Attack Pattern: <scRipt>alert(0x00938D)</scRipt>  
URL: http://{domain}/{vfront_path}/admin/sync_reg_tab.php?azzera=  
Parameter Name: azzera  
Parameter Type: GET  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0067C2)</scRipt>  
For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).  
Advisory Timeline  
5th April 2019 - First Contact  
16th May 2019 - Vendor Fixed  
28th May 2019 - Advisory Released  
Credits & Authors  
These issues have been discovered by Omer Citak while testing the Netsparker Web Application Security Scanner.  
About Netsparker  
Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.