header-logo
Suggest Exploit
vendor:
Extreme Search Corporate Edition
by:
Unknown
5.5
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: Extreme Search Corporate Edition
Affected Version From: 6
Affected Version To: 6.0 and prior
Patch Exists: NO
Related CWE: Unknown
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Cross-Site Scripting in Extreme Search Corporate Edition

An attacker can execute arbitrary script code in the browser of a user by injecting malicious input through the 'search' parameter in the 'extremesearch.php' page. This can lead to the theft of authentication credentials and other attacks.

Mitigation:

Sanitize user-supplied input to prevent script code execution. Use input validation and output encoding techniques.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15675/info

Extreme Search Corporate Edition is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

Versions 6.0 and prior are vulnerable; other versions may also be affected.

http://www.example.com/search/extremesearch.php?search=%3Cscript%3Ealert%28%27r0t+XSS%27%29%3C%2Fscript%3E&lang=

Navigation

Suggest Exploit

Services By CQR