Release date:
Updated on:
Affected Systems:
Achievo 1.4.5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56858
CVE (CAN) ID: CVE-2012-5866
Achievo is a WEB-based project management tool.
"Include. the php "script has a cross-site scripting vulnerability when processing the" field "parameter of http get requests. Remote attackers can inject and execute arbitrary HTML and script code in users' browser sessions.
<* Source: High-Tech Bridge
Link: http://permalink.gmane.org/gmane.comp.security.bugtraq/50940
Http://packetstormsecurity.org/files/cve/CVE-2012-5865
Https://www.htbridge.com/advisory/HTB23126
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
The following PoC (Proof Concept) outputs user's cookie:
Http: // [host]/include. php? File = atk/popups/colorpicker. inc & field = % 22% 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29; % 3C/script % 3E
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Achievo
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.achievo.org
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
