Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CVE-2019-14805
- >[Description]
- > studio/builder_menu.php?page=sets in
- > UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#1
- > Sign in to admin and look for the ["etemplates"] page (/studio/polyglot.php?page=etemplates)!
- > Click ["Emails"] and edit the templates! Inject the JavaScript code into the ["System Name"] field!
- > http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
- >
- > UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#2
- > Sign in to admin and look for the ["sets"] page (studio/builder_menu.php?page=sets)!
- > Click ["Sets"] and edit the "set"! Inject the JavaScript code into the ["System Name"] field!
- > http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
- >
- > https://github.com/unaio/una/tree/master/studio
- > https://una.io/
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Cross Site Scripting (XSS)
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > UNA
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > UNA - 10.0.0-RC1
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Client side JavaScript code injection.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://github.com/unaio/una/commits/master/studio
- Use CVE-2019-14805.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement