Skip to content

Latest commit

 

History

History
27 lines (21 loc) · 879 Bytes

CVE-2017-11175.md

File metadata and controls

27 lines (21 loc) · 879 Bytes

CVE-2017-11175 - XSS in J2 Innovations FIN Stack 4.0

  • Vendor: J2 Innovations
  • Product: FIN Stack
  • Version: 4.0
  • CVE: CVE-2017-11175
  • CVSS3.0 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C)

The authentication webform is vulnerable to reflected XSS via the query string to /login.

Detailed Description of the Vulnerability

An attack is performed by manipulation of the URL, which points to the login page. The attack doesn't require authentication.

http://<domain>/login?<malicious code goes here>.

PoC

http://example.com/login?a%22%3E%3Cscript%3Ealert%28%27MIR%20XSS%20Test%27%29%3C/script%3Ea=1

Timeline

  • 2017-07-05 - Vendor has been informed
  • 2017-07-11 - Submitted request for a CVE number to Mitre
  • 2017-07-12 - Mitre assigned CVE-2017-11175
  • 2017-08-25 - Innovations says that it will take a month or two to fix