You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Product: Gazelle
Download: https://github.com/WhatCD/Gazelle
Vunlerable Version: latest version
Tested Version: latest version
Author: ADLab of Venustech
Advisory Details:
A Cross-Site Scripting (XSS) was discovered in “Gazelle latest version”, which can be exploited to execute arbitrary code.
The vulnerability exists due to insufficient filtration of user-supplied data in the “action” HTTP GET parameter passed to the “Gazelle-master/sections/tools/finances/bitcoin_balance.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
Poc: http://localhost/.../Gazelle-master/sections/tools/finances/bitcoin_balance.php?action=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22
The text was updated successfully, but these errors were encountered:
Product: Gazelle
Download: https://github.com/WhatCD/Gazelle
Vunlerable Version: latest version
Tested Version: latest version
Author: ADLab of Venustech
Advisory Details:
A Cross-Site Scripting (XSS) was discovered in “Gazelle latest version”, which can be exploited to execute arbitrary code.
The vulnerability exists due to insufficient filtration of user-supplied data in the “action” HTTP GET parameter passed to the “Gazelle-master/sections/tools/finances/bitcoin_balance.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
http://localhost/.../Gazelle-master/sections/tools/finances/bitcoin_balance.php?action=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22
The text was updated successfully, but these errors were encountered: