Skip to content

CyberSec-Supra/CVE-2024-42834

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

# Exploit Title: INCOGNITO SAC STORED CROSS-SITE SCRIPTING (XSS) VULNERABILITY
# Date: 26 JULY 2024
# Exploit Author: Etienne Supra
# Vendor Homepage: https://www.incognito.com/products/service-activation-center/
# Version: 14.11
# CVE : CVE-2024-42834
# Vendor has been informed and acknowledge the vulnerability.
  
VULNERABILITY SUMMARY
A stored Cross-site scripting (XSS) vulnerability was identified in the customerManager API and ManageAccount_retrieve modules of the Incognito Service Activation Center User Interface (SAC UI). 
SAC UI Version 14.11 allows remotely authenticated attackers to inject arbitrary JavaScript or HTML via the ‘lastName’ parameter. If malicious JavaScript was submitted, it would be stored on the web server and would be triggered on users’ browsers when viewed.
The XSS was triggered when the user account was viewed on the ManageAccount_retrieve page.
The remediation of this vulnerability lies with the vendor, as they would need to sanitise the API input and the SAC UI output.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published