eGroupWare 1.0 Calendar Module - 'date' Cross-Site Scripting

EDB-ID:

24403

CVE:

2004-1467

EDB Verified:

Author:

Joxean Koret

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2004-08-23

Vulnerable App: 
source: https://www.securityfocus.com/bid/11013/info

It is reported that eGroupWare is susceptible to multiple cross-site scripting and HTML injection vulnerabilities.

The cross-site scripting issues present themselves in the various parameters of the 'addressbook' and 'calendar' modules. It is also reported that data input through the 'Search' fields of the 'addressbook', 'calendar', and 'search between projects' functionality are not sufficiently sanitized.

An attacker can exploit these issues for theft of cookie-based authentication credentials and other attacks.

Additionally HTML injection vulnerabilities are reported for the eGroupWare 'Messenger' module and 'Ticket' module.

Attackers may potentially exploit these issues to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

http://www.example.com/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701"><script>alert(document.cookie)</script
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services