Lucene search

K
packetstormMarek HolkaPACKETSTORM:160139
HistoryNov 19, 2020 - 12:00 a.m.

Sokrates SOWA SowaSQL Cross Site Scripting

2020-11-1900:00:00
Marek Holka
packetstormsecurity.com
666

0.001 Low

EPSS

Percentile

46.8%

`   
  
# Title: SOWA.OPAC Reflected Cross Site Scripting  
# Vulnerability  
Type: Cross Site Scripting (XSS)  
# Attack Type: Account Hijacking,  
Credential Theft, Data Leakage  
# Author: Marek Holka  
# Date:  
2020-11-08  
# Vendor: SOKRATES-software  
# Software Link:  
https://www.demo.sowwwa.pl/sowacgi.php  
# Version: SOWA.OPAC all versions  
up to 5.6.2  
# CVE: CVE-2020-28350  
# Description: A Cross Site Scripting  
(XSS) vulnerability exists in Sokrates SOWA  
SowaSQL via the sowacgi.php  
"typ" parameter which means that this parameter did not sanitize HTML  
characters. The module  
SOWA.WWW was fixed in 4.8.16, whereas the module  
SOWA.OPAC was fixed  
in 5.6.2.  
# Attack Vectors: To use this  
vulnerability victim needs to open crafted URL which inject a Javascript  
code to url parameter  
"typ":  
https://www.demo.sowwwa.pl/sowacgi.php?KatID=0&typ=test%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E  
#  
Reference OWASP top 10: https://owasp.org/www-community/attacks/xss/  
  
  
>   
  
  
  
  
`

0.001 Low

EPSS

Percentile

46.8%

Related for PACKETSTORM:160139