<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Footy Tipping Software Cross-site Scripting

Posted by Michael Merlino - 18 November, 2019

header-picture

Footy Tipping Software Cross-site Scripting

Release date: 24/10/2019

Last update: 24/10/2019

Vendor: Footy Tipping Software

Vendor site: https://www.footy.com.au/

Product: AFL Web Edition

 

Affected version(s): 2019

 

Remediated version: Vendor has not released a patch.

 

Severity Rating: Medium

 

Impact: Exposure of sensitive information and Client-side code execution.

 

Attack vector: Remote without authentication.

 

CVE: CVE-2019-17057

 

Details: AFL Web Edition 2019 has Cross-site Scripting via the tips page, the parameter of counter is vulnerable.

The following is a proof of concept:

http://<HOST>/Scripts/tipping/tips.pl?password=a0B%21n3x%21X9&round=19&counter=%3Cscript%3Ealert('We%20got%20one')%3C/script%3Ed6idah

 

 

Recommendation: Vendor has not released a patch.

Discovered by: Michael Merlino from Content Security Pty. Ltd.

 


Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more