| 标题 | CoreHR - Core Portal CoreHR v27 < v27.0.7 - Stored Cross Site Scripting (XSS) |
|---|
| 描述 | The CoreHR Core Portal by CoreHR, was found to not consistently validate client side input, and as a result, it was vulnerable to Stored Cross-Site Scripting.
Cross-Site Scripting attacks are a type of injection vulnerability, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser script, to a different end user.
The malicious script then can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site, or even rewrite the content of the HTML page. Both confidentiality and integrity are affected.
The affected component is an unspecified item of the Core Portal component.
Full details on the vulnerability won't be disclosed to the public. A working exploit has been created by Alessandro Magnosi (d3adc0de), but it won't be realsed to the public.
CVE-2019-18221 has been assigned to the issue.
Affected versions:
v27.0.6 - Fixed in 27.0.7
v22 - Fixed in upcoming Minor Release of 7th Nov 2019
v25 - Fixed in Minor Release of 12th Sep 2019
References to the fixes:
Refer to the release notes of any of the fixed release. |
|---|
| 用户 | Anonymous User |
|---|
| 提交 | 2019-10-24 11時25分 (7 年前) |
|---|
| 管理 | 2019-10-25 09時42分 (22 hours later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 144170 [CoreHR Core Portal 直到 27.0.6 已储存 跨网站脚本] |
|---|
| 积分 | 17 |
|---|