← voltar
CVE-2015-20116

RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Produtos afetados
Next Click Ventures · RealtyScript

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://www.exploit-db.com/exploits/38496https://www.vulncheck.com/advisories/realtyscript-stored-cross-site-scripting-via-csv-file-upload-filenamehttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php