header-logo
Suggest Exploit
vendor:
PhpGroupWare
by:
Unknown
7.5
CVSS
HIGH
HTML Injection
79
CWE
Product Name: PhpGroupWare
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:phpgroupware:phpgroupware
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

PhpGroupWare HTML Injection Vulnerability

PhpGroupWare is susceptible to a HTML injection vulnerability due to improper input sanitization. An attacker can exploit this vulnerability by supplying malicious HTML and script code through the 'date' parameter in the 'index.php' page. This can lead to theft of cookie-based authentication credentials and control over the site's rendering.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user-supplied input before processing or rendering it.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/12082/info

PhpGroupWare is reported to be susceptible to a HTML injection vulnerability. This issue exists because the application fails to properly sanitize user-supplied input.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user. 

http://[target]/[phpgroupware_directory]/index.php?menuaction=calendar.uicalendar.planner
POST DATA: date="><script>alert(document.cookie)</script>

Navigation

Suggest Exploit

Services By CQR