vendor:
am4ss
by:
s3n4t00r
7,5
CVSS
HIGH
XSS Stored and XSS Reflected
79, 80
CWE
Product Name: am4ss
Affected Version From: all versions
Affected Version To: all versions
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012
am4ss 1.2 <= Multiple Vulnerabilities
XSS Stored [1]: An attacker can register and login to the application, create a ticket and add malicious HTML or JavaScript code. The malicious code will be stored in the application and can be accessed by visiting the tickets page. XSS Stored [2]: An attacker can register and login to the application, create a ticket and change the data using Tamper Data. The malicious code will be stored in the application and can be accessed by visiting the tickets page. XSS Reflected [1]: An attacker can send a malicious request to the application which will reflect the malicious code on the response page.
Mitigation:
Input validation should be performed on all user input to prevent malicious code from being stored in the application. Output encoding should be used to prevent malicious code from being reflected on the response page.
