vendor:
EasyService Billing
by:
Divya Jain
6.1
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: EasyService Billing
Affected Version From: EasyService Billing 1.0
Affected Version To: EasyService Billing 1.0
Patch Exists: YES
Related CWE: CVE-2018-11443
CPE: a:codecanyon:easyservice_billing
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: KaLi LinuX_x64
2018
EasyService Billing 1.0 Cross-Site Scripting in ‘q’ Parameter
A Cross-Site Scripting (XSS) vulnerability was discovered in EasyService Billing 1.0. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'q' parameter of the 'jobcard-ongoing.php' script. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable website. For example, an attacker can send a specially crafted request to the vulnerable script and execute arbitrary JavaScript code in a victim's browser.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to dynamically generate web content. It is recommended to use a whitelist of accepted inputs that strictly conform to specifications. Additionally, it is recommended to disable the 'Allow HTML tags in forms' option in the 'Admin Panel' of the application.
