CVE-2018-15917
published 2018-09-05CVE-2018-15917: Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to…
PriorityP431medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
6.48%
92.9th percentile
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jorani_project | jorani | — | — |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Jorani Leave Management 0.6.5 - Cross-Site Scripting
exploitdb·2018-09-06·CVSS 5.4
CVE-2018-15917 [MEDIUM] Jorani Leave Management 0.6.5 - Cross-Site Scripting
Jorani Leave Management 0.6.5 - Cross-Site Scripting
---
# Exploit Title: Jorani Leave Management System 0.6.5 – Cross-Site Scripting
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-09-06
# Google Dork: N/A
# Vendor: Benjamin BALET
# Software Link: https://jorani.org/download.html
# Affected Version: 0.6.5 and possibly before
# Patched Version: unpatched
# Category: Web Application
# Platform: Windows
# Tested on: Win10x64 & Kali Linux
# CVE: 2018-15917
# 1. Technical Description:
# Language parameter is vulnerable to Persistent Cross-Site Scripting (XSS) attacks through
# a GET request in which the values are stored in the user session.
# 2. Proof Of Concept (PoC):
# Go to http://localhost/session/language?last_page=session%2Flogin&language=en%22%3E%3Csc
Nuclei
Jorani Leave Management System 0.6.5 - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2018-15917 [MEDIUM] Jorani Leave Management System 0.6.5 - Cross-Site Scripting
Jorani Leave Management System 0.6.5 - Cross-Site Scripting
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
Template:
id: CVE-2018-15917
info:
name: Jorani Leave Management System 0.6.5 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
impact: |
Authenticated attackers can inject persistent malicious JavaScript through the language parameter that executes in other users' browsers including administrators, potentially stealing session cookies, credentials, or performing un
No writeups or analysis indexed.
https://github.com/bbalet/jorani/issues/254https://hackpuntes.com/cve-2018-15917-jorani-leave-management-system-0-6-5-cross-site-scripting-persistente/https://www.exploit-db.com/exploits/45338/https://github.com/bbalet/jorani/issues/254https://hackpuntes.com/cve-2018-15917-jorani-leave-management-system-0-6-5-cross-site-scripting-persistente/https://www.exploit-db.com/exploits/45338/
2018-09-05
Published