HumHub Modules Mail 0.5.8 Cross Site Scripting

Posted on 01 November 2014

Title: HumHub Modules Mail v0.5.8 Author: Morten NÃ¸rtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/10/31 Download: https://github.com/humhub/humhub-modules-mail Contacted authors: 2014/10/15 ---------------------------------------------------------- Description: "Private messaging system to communicate with one or more users." HumHub Mail Module v0.5.8 is vulnerable to an XSS attack. Vulnerable file: /views/mail/index.php Example of vulnerable code: selectEntry(<?php echo $_GET['id']; ?>); This is vulnerable because the GET parameter 'id' is not getting sanitized PoC: If a logged in user clicks the following link, the injected javascript is executed: humhub.example/index.php?r=mail/mail/index&id=function%28%29{%20alert%28document.cookie%29;%20return%201;%20}%28%29 ## Solution Update to version 0.5.9.

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Relate Cross Site Scripting
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Insecure Direct Object Reference

Last 20