header-logo
Suggest Exploit
vendor:
KnowledgeTree Community Edition
by:
@fdiskyou
7,5
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: KnowledgeTree Community Edition
Affected Version From: 3.5.2
Affected Version To: 3.5.2
Patch Exists: YES
Related CWE: N/A
CPE: a:knowledgetree:knowledgetree_community_edition:3.5.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability

KnowledgeTree 3.5.2 Community Edition is vulnerable to a permanent XSS vulnerability. This vulnerability can be exploited by entering malicious JavaScript code into the search box or search criteria and saving the search. These searches can be shared with all users, enabling the insertion of malicious JavaScript code. To exploit this vulnerability, a user can load http://localhost/dashboard.php or http://localhost/search2.php?action=searchResults in the textbox, enter <script>alert('moo')</script> and save the search. The saved search can then be loaded to view the result.

Mitigation:

Upgrade to the latest version of KnowledgeTree 3.5.2 Community Edition.
Source

Exploit-DB raw data:

# Exploit Title: KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability 
# Date: 2010-08-11
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Software Link: http://www.knowledgetree.com/products/community/download
# Version: 3.5.2 
# Notes: Fixed in the last version. 


Go to search box or search criteria, enter your javascript code and save your search. 
These searches can be shared with all the users enabling us to insert malicious javascript code.

POC:
Load http://localhost/dashboard.php or http://localhost/search2.php?action=searchResults in the textbox enter <script>alert('moo')</script> and save your search. 
Load saved searches to view result.

Navigation

Suggest Exploit

Services By CQR