Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- > [Suggested description]
- > An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a
- > filename, it is possible to activate JavaScript in the context of the
- > web application after invoking the rename folder functionality.
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Cross Site Scripting (XSS)
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > Maxum
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > Rumpus FTP Web File Manager - 8.2.10 for Mac OSX
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > The rename folder functionality.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > By creating a folder with the name <img src=/ onerror=alert(0);> and
- > then clicking 'rename' in the cog icon, we can observe that the
- > browser will interpret the injected javascript.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.maxum.com/Rumpus/Download.html
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Jayden Kaio Rivers
- Use CVE-2020-8514.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement