Security Advisory - Curesec Research Team 1. Introduction Affected Product: Supercali Event Calendar 1.0.8 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://ift.tt/1WFMxb0 Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability via the "id" GET parameter when editing a group in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies or inject JavaScript keyloggers. 3. Proof of Concept http://ift.tt/1MgGIw34. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 10/07/2015 Disclosed to public Blog Reference: http://ift.tt/1PfEzXj
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment