Giters

alt3kx / CVE-2019-10685

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2019-10685

The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter.

Exploit-DB publication at https://www.exploit-db.com/exploits/46804
PacketStorm publication at https://packetstormsecurity.com/files/152727/Prinect-Archive-System-2015-Release-2.6-Cross-Site-Scripting.html
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10685

Timeline

================
2019-02-04: Discovered
2019-02-25: Retest PRO environment
2019-03-25: Retest on researcher's ecosystem
2019-04-02: Vendor notification
2019-04-03: Vendor feedback received
2019-04-08: Reminder sent
2019-04-08: 2nd reminder sent
2019-04-11: Internal communication
2019-04-26: No more feedback received from the vendor
2019-04-30: New issues found
2019-05-06: Public Disclosure

Heidelberg (Print Archive System v2015 release 2.6 Product) Patch and credits:

https://www.heidelberg.com

3_poc

Author

Alex Hernandez aka (@_alt3kx_)

My current exploit list @exploit-db:
https://www.exploit-db.com/author/?a=1074
https://www.exploit-db.com/author/?a=9576

CVE-2019-10685 with sexy screens here: https://medium.com/@alt3kx

About

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6

License:GNU General Public License v3.0