Vulners
Lucene search
ebankIT 6 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2023-30454 | 30 Jan 202523:28 | – | circl |
 | ebankIT 跨站脚本漏洞 | 28 Apr 202300:00 | – | cnnvd |
 | CVE-2023-30454 | 28 Apr 202300:00 | – | cve |
 | CVE-2023-30454 | 28 Apr 202300:00 | – | cvelist |
 | EUVD-2023-34871 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-30454 | 28 Apr 202319:15 | – | nvd |
 | CVE-2023-30454 | 28 Apr 202319:15 | – | osv |
 | Cross site scripting | 28 Apr 202319:15 | – | prion |
 | PT-2023-22701 · Ebankit · Ebankit | 28 Apr 202300:00 | – | ptsecurity |
 | CVE-2023-30454 | 23 May 202503:42 | – | redhatcve |
10
`CVE-2023-30454
[Description]
An issue was discovered in ebankIT before version 7.
Document Object Model based XSS exists within the
/Security/Transactions/Transactions.aspx
endpoint. Users can supply their own JavaScript within the
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray
POST parameter that will be passed to an eval() function and executed
upon pressing the continue button.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
ebankIT
------------------------------------------
[Affected Product Code Base]
ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7
------------------------------------------
[Affected Component]
The endpoint existing at: /Security/Transactions/Transactions.aspx
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
I discovered a Document Object Model-based Cross-Site Scripting issue
within the ebankIT platform. While manually inspecting the client-side
JavaScript code I came across the variable JSONText. This variable
was using the eval function to parse data passed to it through the
accobj variable. Knowing the eval function evaluates text as
JavaScript, I proceeded to locate exactly what data was passed to this
variable. I found that the data could be supplied by a user during a
Transfer request (on /Security/Transactions/Transactions.aspx), when
selecting which account to transfer from. To execute this XSS, I
intercepted our test user s Transfer request, supplied my own custom
JavaScript alert(4) in the
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray
POST parameter, and pressed the continue button which resulted in
the payload successfully executing.
------------------------------------------
[Discoverer]
Jake Murphy
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Apr 2023 00:00Current
6.9Medium risk
Vulners AI Score6.9
EPSS0.00206