| Название | CoreHR - Core Portal CoreHR v27 < v27.0.7 - Stored Cross Site Scripting (XSS) |
|---|
| Описание | The CoreHR Core Portal by CoreHR, was found to not consistently validate client side input, and as a result, it was vulnerable to Stored Cross-Site Scripting.
Cross-Site Scripting attacks are a type of injection vulnerability, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser script, to a different end user.
The malicious script then can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site, or even rewrite the content of the HTML page. Both confidentiality and integrity are affected.
The affected component is an unspecified item of the Core Portal component.
Full details on the vulnerability won't be disclosed to the public. A working exploit has been created by Alessandro Magnosi (d3adc0de), but it won't be realsed to the public.
CVE-2019-18221 has been assigned to the issue.
Affected versions:
v27.0.6 - Fixed in 27.0.7
v22 - Fixed in upcoming Minor Release of 7th Nov 2019
v25 - Fixed in Minor Release of 12th Sep 2019
References to the fixes:
Refer to the release notes of any of the fixed release. |
|---|
| Пользователь | Anonymous User |
|---|
| Представление | 24.10.2019 11:25 (7 лет назад) |
|---|
| Модерация | 25.10.2019 09:42 (22 hours later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 144170 [CoreHR Core Portal до 27.0.6 Сохранено межсайтовый скриптинг] |
|---|
| Баллы | 17 |
|---|