जमा करें #519791: timschofield WebERP 5.0.0.rc+13 Cross Site Scriptingजानकारी

शीर्षकtimschofield WebERP 5.0.0.rc+13 Cross Site Scripting
विवरणA Cross-Site Scripting (XSS) vulnerability exists in the application, which allows a user with the Inquiries/Order Entry security role to inject malicious scripts through the Narrative field when creating an order. This XSS attack can lead to privilege escalation, allowing the attacker to create a new user with System Administrator privileges. The attack is triggered when a user with permissions to create new users accesses the Confirm Dispatch and Invoice page. An attacker can exploit this vulnerability by sending a specially crafted URL to a system administrator. The administrator, unaware of the malicious payload, opens the link, unknowingly executing the script. This results in a new System Administrator user being created in the system. The malicious payload is rendered from this script: ConfirmDispatch_Invoice.php - The vendor was contacted on February 24th via email and by submitting a GitHub security advisory. The vendor accepted the advisory and was fast with responses. - When asked about a demo environment, the vendor said they did not have any and asked if I could set it up. - Demo environment was set up for the vendor on February 25th. - Vendor did not respond after the demo environment was provided. Several attempts for contact were made via the advisory and email. Last contact was on February 24th via email.
स्रोत⚠️ https://www.singto.io/pocsforexploits/weberp/weberp-xss-confirm-dispatch.html
उपयोगकर्ता Jelle Janssens (UID 81048)
सबमिशन13/03/2025 08:44 AM (1 वर्ष पहले)
संयम24/03/2025 12:40 PM (11 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि300735 [timschofield webERP तक 5.0.0.rc+13 Confirm Dispatch and Invoice Page ConfirmDispatch_Invoice.php Narrative क्रॉस साइट स्क्रिप्टिंग]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!