Summary
Cross-Site Scripting (XSS) is a web security vulnerability that occurs when a web application allows attackers to inject malicious scripts into web pages that are viewed by other users. This type of attack takes advantage of the trust that a user has in a particular website, as the injected script is executed in the context of the victim's browser. Attackers typically exploit vulnerabilities in input validation and output encoding, allowing them to insert scripts that can steal sensitive information, manipulate the appearance of the page, or perform actions on behalf of the user without their consent.
Patches
facileManager-v4.5.1
PoC
For the facileManager web application, we have found that XSS was present in almost all of the input fields as there is insufficient input validation.
To further demonstrate and explain this, here are the steps to reproduce this issue:
- login to your account
- nagivate to admin > user & groups
- create a new user
- input valid values on all of the fields
- on the “User Comment” field, input <script>alert();</script>
as shown in the image
- click save and refresh the page
- an alert box pops up meaning that javascript was
successfully injected and executed to the web application
jmrcsnchz Finder
zw1tt3r1on Finder
damaidec Finder
Summary
Cross-Site Scripting (XSS) is a web security vulnerability that occurs when a web application allows attackers to inject malicious scripts into web pages that are viewed by other users. This type of attack takes advantage of the trust that a user has in a particular website, as the injected script is executed in the context of the victim's browser. Attackers typically exploit vulnerabilities in input validation and output encoding, allowing them to insert scripts that can steal sensitive information, manipulate the appearance of the page, or perform actions on behalf of the user without their consent.
Patches
facileManager-v4.5.1
PoC
For the facileManager web application, we have found that XSS was present in almost all of the input fields as there is insufficient input validation.
To further demonstrate and explain this, here are the steps to reproduce this issue:
as shown in the image
successfully injected and executed to the web application