<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage Cross-site Scripting

Posted by David Chadwick - 26 July, 2019

header-picture

Knowage Cross-site Scripting

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: Medium

Impact: Exposure of sensitive information and Client-side code execution

Attack vector: Remote without authentication

CVE: CVE-2019-13189

Details: Knowage before 6.4 has Cross-site Scripting via the ChangePwdServlet page, the parameters of start_url and user_id are vulnerable.

The following is a proof of concept:

https://<HOST>/knowage/ChangePwdServlet?start_url=test"><script>alert(1)</script>test

xss-redacted G

Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.


Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more