<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage Cross-site Scripting

Posted by David Chadwick - 26 July, 2019


Knowage Cross-site Scripting

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: Medium

Impact: Exposure of sensitive information and Client-side code execution

Attack vector: Remote without authentication

CVE: CVE-2019-13189

Details: Knowage before 6.4 has Cross-site Scripting via the ChangePwdServlet page, the parameters of start_url and user_id are vulnerable.

The following is a proof of concept:


xss-redacted G

Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.

Recent Posts

5 DDoS Trends to Look Out For

read more

CPS 234: An Overview of What You Need to Know

read more

Get Greater Coverage Between Manual Penetration Tests by Adopting an Automated Solution

read more