Ecometry SGDynamo 5.32/6.1/7.0 - Cross-Site Scripting

EDB-ID:

21446


Author:

frog

Type:

remote


Platform:

Windows

Date:

2002-04-17


source: https://www.securityfocus.com/bid/4720/info

SGDynamo is a web application engine for Microsoft Windows operating systems.

Script code is not filtered from URL parameters that are used as output by the SGDynamo program. This may enable an attacker to inject script code into a malicious link to the program. The script code will be executed in the browser of a user who visits the link, in the context of the site running the program.

This may enable the attacker to steal cookie-based authentication credentials from legitimate users.

http://target/sgdynamo.exe?HTNAME=<script>alert("test")</script>