Footy Tipping Software Cross-site Scripting
Release date: 24/10/2019
Last update: 24/10/2019
Vendor: Footy Tipping Software
Vendor site: https://www.footy.com.au/
Product: AFL Web Edition
Affected version(s): 2019
Remediated version: Vendor has not released a patch.
Severity Rating: Medium
Impact: Exposure of sensitive information and Client-side code execution.
Attack vector: Remote without authentication.
Details: AFL Web Edition 2019 has Cross-site Scripting via the tips page, the parameter of counter is vulnerable.
The following is a proof of concept:
Recommendation: Vendor has not released a patch.
Discovered by: Michael Merlino from Content Security Pty. Ltd.