Metasploit 4.1.0 Web UI stored XSS vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2011-10-24T00:00:00


Advisory: Metasploit 4.1.0 Web UI stored XSS vulnerability Advisory ID: SSCHADV2011-033 Author: Stefan Schurtz Affected Software: Successfully tested on Metasploit Community Edition Vendor URL: Vendor Status: fixed EDB-ID: 18012

========================== Vulnerability Description: ==========================

Metasploit 4.1.0 Web UI "project[name]" parameter is prone to a XSS vulnerability

================== Technical Details: ==================

Login to Web UI -> Create New Project -> Project name -> '"</script><script>alert(document.cookie)</script>

========= Solution: =========

==================== Disclosure Timeline: ====================

19-Oct-2011 - informed developers 20-Oct-2011 - fixed by vendor 20-Oct-2011 - release date of this security advisory

======== Credits: ========

Vulnerability found and advisory written by Stefan Schurtz.

=========== References: ===========