| Title | Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05 Injection |
|---|
| Description | Description:
Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a web application's stored data (e.g., database, file system). This type of XSS is especially dangerous because the malicious script is served to any user who accesses the affected page. The attacker typically exploits a vulnerable input field (such as a comment section or profile field) to store their script. When other users visit the page where the script is stored, it executes in their browser as if it was legitimate content from the web application, leading to potential data theft, session hijacking, or other malicious activities.
#Steps to Reproduce
1). Login to - http://IP/vood/cgi-bin/vood_view.cgi?act=index&lang=EN#
2). Navigate to page : http://IP/vood/cgi-bin/vood_view.cgi?lang=EN&act=user/spec_conf&sessionId=86213915328111654515&user=A&message2user=Account%20updated
3). Insert the generic payload to "Phone Number" parameter
4). Save
Impact:
Stored Cross-Site Scripting (XSS) occurs when malicious scripts are injected into a web application and stored on the server, affecting multiple users who view the compromised content. The impact includes the theft of sensitive information like cookies, session tokens, or user credentials, leading to account hijacking or identity theft. Additionally, attackers can manipulate site content, spread malware, or perform actions on behalf of users, compromising the integrity and security of the website.
Mitigation:
1. Input Validation and Sanitization
2. Output Encoding
3. Content Security Policy (CSP)
4. Use of Secure Libraries and Frameworks
5. Database Escaping |
|---|
| User | The_Druk (UID 70236) |
|---|
| Submission | 08/13/2024 04:47 (2 years ago) |
|---|
| Moderation | 08/20/2024 20:02 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 275291 [Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05 Phone Number cross site scripting] |
|---|
| Points | 17 |
|---|