Procuct: Phalcon Eye
Vendor: Phalcon (https://phalconphp.com/)
Vunlerable Version: 0.4.1 and probably prior
Tested Version: 0.4.1
Author: ADLab of Venustech
Advisory Details:
I have discovered Multiple Cross-Site Scripting (XSS) in Phalcon Eye, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application.
Procuct: Phalcon Eye
Vendor: Phalcon (https://phalconphp.com/)
Vunlerable Version: 0.4.1 and probably prior
Tested Version: 0.4.1
Author: ADLab of Venustech
Advisory Details:
I have discovered Multiple Cross-Site Scripting (XSS) in Phalcon Eye, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application.
The vulnerability exists due to insufficientfiltration of user-supplied data in multiple HTTP GET parameters passed to “phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation examples below uses the "alert()" JavaScript function to see a pop-up messagebox:
(1)
http://localhost/testcmsofgithub/phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php?token=%22%22);}%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3Efunction%20nopfun(){//
(2)
http://localhost/testcmsofgithub/phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php?file=%22%22);}%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3Efunction%20nopfun(){//
The text was updated successfully, but these errors were encountered: