Advertisement






Flexmonster Pivot Table & Charts 2.7.17 Remote Report Reflected XSS

CVE Category Price Severity
CVE-2020-20140 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-12-24
CVSS EPSS EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120163

Below is a copy:

Flexmonster Pivot Table & Charts 2.7.17 Remote Report Reflected XSS
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS
# Date: 08/01/2020
# Exploit Author: Marco Nappi
# Vendor Homepage: https://www.flexmonster.com/
# Version:Flexmonster Pivot Table & Charts 2.7.17
# Tested on:Flexmonster Pivot Table & Charts 2.7.17
# CVE : CVE-2020-20140

Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17

Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.

payload:
<svg onload=alert("OpenRemoteReport")><!--

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum