Issues » XSS possible in admin tool as authenticated user

Issue: SI-16
Date: Jul 3, 2013 7:45:00 AM
Severity: Low
Requires Admin Access: No
Fix Version: 3.0
Credit: Sergio Galán aka NaxoneZ
Description:

In the browser once logged into the admin screen you can use XSS. You of course are already logged in and a trusted user at this point. 

1.- XSS
- Path: Hosts > Add/Edit Host
- Field: HostName
- After create the host if you edit it you can see a msgbox in screen.

2.- XSS
-Path: Workflows>Schemes>Add Workflow Scheme
-Field: Name
- After create the workflow if you go to Workflows>Schemes you can see a msgbox in screen.

3- XSS
-Path: Workflows>Schemes>Add Workflow Scheme
-Field: Description
- After create the workflow if you go to Workflows>Schemes you can see a msgbox in screen or when you edit the workflow.

4.- XSS
-Path: Polls>Edit Question
-Field: Choices
- If you create a poll with a choice like "<script>alert(23);</script> when you see the poll an alert appears.

5.- XSS (not persistence)
-Path: Calendar
-Field: Search Field
-If you put a text like "<script>alert(23);</script> the ajax creates a msgbox.

6.-XSS
-Path:Calendar>Add event
-Field: Name
-if you put a text like "<script>alert(23);</script> you can see a msgbox when you enter in calendar o edit the task.

7.-XSS
-Path: Language Variables>Add New Language
-Field: Language/Country
-If you go to Language Variables page or you edit the language with the language or country like "<script>alert(23);</script> you can see a msgbox in the screen.

Back to the top