Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36816: XSS at Account creation

2FA is a Web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Cross site scripting (XSS) injection can be done via the account/service field. This was tested in docker-compose environment. This vulnerability has been patched in version 4.0.3.

CVE
Open in Source
#xss#vulnerability#web#java#auth#docker

Summary

on /account/create an XSS injection can be done via the account/service field. (tested in docker-compose environment)

PoC

  • Navigate to /account/create and enter in the upper text field one of the following strings (more can be possible, I only tested those 2)

    <image/src/onerror=prompt(8)> <!–<img src="–><img src=x onerror=javascript:alert(1)//">

  • click the next left button “Ich habe Glück” (sorry tested in German)
  • an alert is being executed
  • the first string can as well be saved as project name but luckily is not being executed on other pages

Impact

XSS is known as TOP 10 OWASP finding. I guess you already heared about it. If not, please have a look here: https://owasp.org/www-community/attacks/xss/.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE