SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)

EDB-ID:

51218

CVE:

2022-47870

EDB Verified:

Author:

geeklinuxman

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2023-04-03

Vulnerable App: 
# Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) 
# Date: [12/21/2022 02:07:23 AM UTC]
# Exploit Author: [geeklinuxman@gmail.com]
# Vendor Homepage: [https://www.red-gate.com/]
# Software Link: [https://www.red-gate.com/products/dba/sql-monitor/]
# Version: [SQL Monitor 12.1.31.893]
# Tested on: [Windows OS]
# CVE : [CVE-2022-47870]

 [Description]
 Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate
 SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web
 Script or HTML via the returnUrl parameter.

 [Affected Component] affected returnUrl in
https://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True
 affected A tag under span with "redirect-timeout" id value

 [CVE Impact]
 disclosure of the user's session cookie, allowing an attacker to
hijack the user's session and take over the account.

 [Attack Vectors]
 to exploit the vulnerability, someone must click on the malicious A
HTML tag under span with "redirect-timeout" id value

 [Vendor]
 http://redgate.com
 http://sqlmonitor.com
 https://sqlmonitor.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services