123ContactForm - Cross Site Scripting Web Vulnerability

2017-06-12T00:00:00
ID VULNERLAB:1982
Type vulnerlab
Reporter ZwX - ( http://zwx.fr ) [ http://www.vulnerability-lab.com/show.php?user=ZwX ]
Modified 2017-06-12T00:00:00

Description

A client-side cross site scripting vulnerability has been discovered in the 123Contact Form web-application. The security vulnerability allows remote attackers to inject malicious script codes to client-side browser requests.

A client-side cross site scripting web vulnerability is located in the Location input field. The web vulnerability could allow remote attackers to execute javascript in the web-browser of an user or administrator to compromise session credentials. The attacker can connect to a third account to trigger the issue without knowing the password.

The security risk of the xss vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the non-persistent cross site scripting web vulnerability requires low or medium user interaction and no privileged web-application user account. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules.

Request Method(s): [+] GET

Vulnerable Module(s): [+] Location - Map Pro

Vulnerable File(s): [+] ajax_save_field.php

Vulnerable Parameter(s): [+] value