epesi BIM Multiple Cross-Site Scripting Vulnerabilities

vendor:

epesi BIM

by:

5.5

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: epesi BIM

Affected Version From: 1.2.0 rev 8154

Affected Version To: 1.2.0 rev 8154

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

epesi BIM Multiple Cross-Site Scripting Vulnerabilities

epesi BIM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/51149/info

epesi BIM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

epesi BIM 1.2.0 rev 8154 is vulnerable; prior versions may also be affected. 

http://www.example.com/admin/phpfm.php?frame=3&dir_atual=%3Cscript%3Ealert%28123%29;%3C/script%3E

http://www.example.com/admin/themeup.php/%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

http://www.example.com/admin/wfb.php?msg=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E