Multiple Permanent Cross-site Scripting in Phreebooks v2.0

vendor:

Phreebooks v2.0

by:

Gustavo Sorondo

4,3

CVSS

MEDIUM

Permanent Cross-site Scripting

CWE

Product Name: Phreebooks v2.0

Affected Version From: Phreebooks v2.0

Affected Version To: Phreebooks v2.0

Patch Exists: N/A

Related CWE: N/A

CPE: 2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Any running Phreebooks v2.0

2010

Multiple Permanent Cross-site Scripting in Phreebooks v2.0

Multiple permanent Cross-site Scripting vulnerabilities were found in Phreebooks v2.0, because the application fails to sanitize user-supplied input. The vulnerability can be triggered by any logged-in user who is able to add or modify Vendors, Customers, Employees or Inventary items.

Mitigation:

Sanitize user-supplied input

Source

Exploit-DB raw data:

Advisory Name: Multiple Permanent Cross-site Scripting in Phreebooks v2.0
Internal Cybsec Advisory Id:
Vulnerability Class: Permanent Cross-site Scripting
Release Date: 2010-05-26
Affected Applications: Phreebooks v2.0
Affected Platforms: Any running Phreebooks v2.0
Local / Remote: Remote
Severity: Medium – CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Researcher: Gustavo Sorondo
Vendor Status: N/A
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
Vulnerability Description:
Multiple permanent Cross-site Scripting vulnerabilities were found in Phreebooks v2.0, because the
application fails to sanitize user-supplied input. The vulnerability can be triggered by any logged-in
user who is able to add or modify Vendors, Customers, Employees or Inventary items.


Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/13776.pdf (cybsec_advisory_2010_0603_Phreebooks_v2_0_Multiple_Permanent_Cross_site_Scripting.pdf)