header-logo
Suggest Exploit
vendor:
OpenWFE
by:
7.5
CVSS
HIGH
Cross-Site Scripting and Connection Proxy
Cross-Site Scripting (XSS) and Improper Access Control
CWE
Product Name: OpenWFE
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

OpenWFE Cross-Site Scripting and Connection Proxy Vulnerability

The OpenWFE application fails to properly sanitize user-supplied input, leading to a cross-site scripting vulnerability. This can be exploited by an attacker to steal authentication credentials and execute malicious code in a user's browser. Additionally, OpenWFE is also affected by a connection proxy vulnerability, allowing anonymous scanning of network computers.

Mitigation:

To mitigate the cross-site scripting vulnerability, it is recommended to implement proper input sanitization and validation mechanisms. Additionally, OpenWFE should address the connection proxy vulnerability by implementing proper access controls and authentication mechanisms.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11514/info

OpenWFE is affected by a cross-site scripting and connection proxy vulnerability. These issues are due to a failure of the application to properly sanitize user-supplied input.

An attacker may leverage the cross-site scripting issue to steal cookie-based authentication credentials as well as carry out other attacks by executing client-based script code in an unsuspecting user's browser. An attacker may leverage the connection proxy issue to scan arbitrary network computers anonymously, facilitating further attacks.

To leverage the cross-site scripting issue:
rmi://www.example.com:7080/workSessionServer"><script>alert(document.cookie)</script>

To leverage the connection proxy issue:
rmi://<targetHostName>:<targetPort>/workSessionServer