Description:
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as payload in the Playlist Name field while creating the new Playlist which resulted in the execution of a Stored XSS attack.
RISK FACTOR: High
Affected Component: Playlist Name parameter.
Steps to reproduce:
1) Open the monkey media app and enter into the Playlist tab. While creating the new playlist, under the name filed add this {asdf"><img src=x onerror=alert(1)>} XSS playload and save it.
2) You will observe that the stored XSS attack got executed.
Stored XSS in Playlist Name Parameter Under Playlists Tab [#20451]
Moderator: Gurus
Stored XSS in Playlist Name Parameter Under Playlists Tab.
Description:
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as payload in the Playlist Name field while creating the new Playlist which resulted in the execution of a Stored XSS attack.
RISK FACTOR: High
Affected Component: Folder Name parameter.
Steps to reproduce:
1) Open the monkey media app and enter into the Devices & Services tab.
2) While creating the new Storage and Services, select Local Storage(folder), and under that select Network and change any network name.
3) Under the name filed add this {asdf"><img src=x onerror=alert(1)>} XSS payload and save it, you will observe that the stored XSS attack got executed.
4) While deleting that same edited folder you will observe another error based Stored XSS.
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as payload in the Playlist Name field while creating the new Playlist which resulted in the execution of a Stored XSS attack.
RISK FACTOR: High
Affected Component: Folder Name parameter.
Steps to reproduce:
1) Open the monkey media app and enter into the Devices & Services tab.
2) While creating the new Storage and Services, select Local Storage(folder), and under that select Network and change any network name.
3) Under the name filed add this {asdf"><img src=x onerror=alert(1)>} XSS payload and save it, you will observe that the stored XSS attack got executed.
4) While deleting that same edited folder you will observe another error based Stored XSS.
Re: Stored XSS in Playlist Name Parameter Under Playlists Tab [#20451]
Hi Ludek,
This issue is different, it comes under the Devices & Services tab and I don't have access to this link that you have given please give me access and please let me know about the CVE.
Thanks,
Mayur
This issue is different, it comes under the Devices & Services tab and I don't have access to this link that you have given please give me access and please let me know about the CVE.
Thanks,
Mayur
Reflected XSS under Home page Search filed
Description:
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as a payload in the Search field while searching which resulted in the execution of a Reflected XSS attack.
RISK FACTOR: High
Affected Component: Search parameter.
Steps to reproduce:
1) Open the monkey media app, on the right-hand side you will able to see the search field add this {asdf"><img src=x onerror=alert(1)>} XSS payload and click search
2) You will observe that the Reflected XSS attack got executed.
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as a payload in the Search field while searching which resulted in the execution of a Reflected XSS attack.
RISK FACTOR: High
Affected Component: Search parameter.
Steps to reproduce:
1) Open the monkey media app, on the right-hand side you will able to see the search field add this {asdf"><img src=x onerror=alert(1)>} XSS payload and click search
2) You will observe that the Reflected XSS attack got executed.
Re: Reflected XSS under Home page Search filed
Best regards,
Peke
MediaMonkey Team lead QA/Tech Support guru
Admin of Free MediaMonkey addon Site HappyMonkeying
How to attach PICTURE/SCREENSHOTS to forum posts
Peke
MediaMonkey Team lead QA/Tech Support guru
Admin of Free MediaMonkey addon Site HappyMonkeying
How to attach PICTURE/SCREENSHOTS to forum posts