Multiple Cross-Site Scripting Vulnerabilities in GrapeCity Data Dynamics Reports

vendor:

Data Dynamics Reports

by:

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Data Dynamics Reports

Affected Version From: 1.6.2084.14

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Multiple Cross-Site Scripting Vulnerabilities in GrapeCity Data Dynamics Reports

The application fails to sanitize user-supplied input, leading to multiple cross-site scripting vulnerabilities. An attacker can execute arbitrary script code in the browser of an unsuspecting user, potentially stealing authentication credentials and launching further attacks.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in the application. Implement input validation and output encoding to prevent cross-site scripting attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/47015/info

GrapeCity Data Dynamics Reports is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Data Dynamics Reports 1.6.2084.14 is vulnerable; other versions may also be affected. 

http://www.example.com/CoreHandler.ashx?dd:script=CoreViewerInit.js&reportName=<script>alert(&#039;XSS1!&#039;)</script>&uniqueId=<script>alert(&#039;XSS2!&#039;)</script>#
http://www.example.com/CoreHandler.ashx?dd:script=CoreController.js&uniqueId=<script>alert(&#039;XSS1!&#039;)</script>&traceLevel=<script>alert(&#039;XSS2!&#039;)</script>#