PT-2018-9821 · Open Audit · Open-Audit Community

Tejesh Kolisetty

Published

2018-05-10

Updated

2018-06-13

CVE-2018-10314

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Open-AudIT Community version 2.2.0

Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component. This is demonstrated by the action parameter in the "Discover -> Audit Scripts -> List Scripts -> Download" section.

Recommendations: For Open-AudIT Community version 2.2.0, consider restricting access to the Discover -> Audit Scripts -> List Scripts -> Download section until a patch is available. As a temporary workaround, avoid using crafted component names in this section to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-10314

Affected Products

Open-Audit Community

PT-2018-9821 · Open Audit · Open-Audit Community

CVE-2018-10314

Weakness Enumeration

Related Identifiers

Affected Products

References · 4