Отправить #503323: Pix Software Vivaz 6.0.11 Reflected Cross Site ScriptingИнформация

НазваниеPix Software Vivaz 6.0.11 Reflected Cross Site Scripting
ОписаниеReflected Cross Site Scripting in Vivaz 6.0.11 Vendor: Pixsoft Product: Vivaz Version Affected: 6.0.11 Vulnerability Type: Reflected Cross Site Scripting Reference: https://www.pixsoft.com.br/vivaz-software-service-desk.htm Description: A Reflected Cross-Site Scripting (RXSS) vulnerability was discovered in Vivaz 6.0.11, a software developed by Pixsoft. The vulnerability exists in the following endpoint: /servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231&sistema=teste"><img%20src%20onerror=alert()> It is important to note that the vulnerable endpoint may require a directory prefix, depending on the deployment. For example: NAME-OF-ENTERPRISE/servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231&sistema=teste"><img%20src%20onerror=alert()> The parameter sistema does not properly sanitize user input before rendering it in the response, allowing arbitrary JavaScript execution in the user's browser. Proof of Concept (PoC): By accessing the following URL: https://target.com/servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231&sistema=teste"><img%20src%20onerror=alert()> or https://target.comNAME-OF-ENTERPRISE/servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231&sistema=teste"><img%20src%20onerror=alert()> the browser executes JavaScript, confirming the presence of an RXSS vulnerability. Impact: An attacker can exploit this vulnerability to: Steal user session cookies, potentially leading to account takeover. Execute arbitrary JavaScript in the victim's browser, enabling phishing or malicious redirects. Modify the appearance or behavior of the application to deceive users. Perform actions on behalf of an authenticated user without their consent. By: Yago Martins
Источник⚠️ https://github.com/yago3008/cves
Пользователь
 y4g0 (UID 80480)
Представление18.02.2025 21:54 (1 Год назад)
Модерация01.03.2025 08:50 (10 days later)
Статуспринято
Запись VulDB298068 [Pixsoft Vivaz 6.0.11 Login Endpoint sistema межсайтовый скриптинг]
Баллы20

ПредыдущийОбзорДалее

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!