Exploit Title : Dokeos 2.1.1 Multiple Cross-Site Scripting Vulnerabilities Author:Marcela Benetrix home:www.girlinthemiddle.net Date: 10/17/12 version: 2.1.1 software link:www.dokeos.com
At this page, we have a form with many fields to fill in. 5 of them are vulnerable to PERSISTENT cross site scripting. The named fields are:
extra_phone extra_street extra_addressline2 extra_zipcode
Via post, we can send malicious code in order to steal cookies, access to sensitive information, do a web application defacement to every single user that visits the poisoned profile.
10/13/2012 to: email@example.com
10/23/2012 to: firstname.lastname@example.org 10/30/2012 No response, disclosure