Cross-Site Scripting (XSS) Vulnerabilities Tagged: Vulnerabilities This topic contains 9 replies, has 2 voices, and was last updated by easyregistrationadmin 6 days, 4 hours ago. Viewing 10 posts - 1 through 10 (of 10 total) Author Posts August 14, 2019 at 1:09 pm #4900 cpalacioParticipant We are getting a report of this vulnerability from the ERForms. Can you please provide me some feedback as to how to solve this vulnerability? August 14, 2019 at 1:16 pm #4901 easyregistrationadminKeymaster Hi, Can you please share the details about where it is reported ? Any details regarding the report will be helpful. August 14, 2019 at 1:22 pm #4902 cpalacioParticipant – Parameter: It has been detected by exploiting the parameter erf_password of the form located in URL https://corp.trialcard.com/portfolio-items/tc-synapse-a-trusted-suiteof-risk-mitigation-and-compliance-solutions/ The payloads section will display a list of tests that show how the param could have been exploited to collect the information – Authentication: In order to detect this vulnerability, no authentication has been required. – Access Path: Here is the path followed by the scanner to reach the exploitable URL:https://corp.trialcard.com/ August 14, 2019 at 2:19 pm #4903 easyregistrationadminKeymaster Form URL is leading to 404 page. Can you please check? August 14, 2019 at 3:10 pm #4904 cpalacioParticipant Here you go TC Synapse – A Trusted Suite of Risk Mitigation and Compliance Solutions August 14, 2019 at 5:08 pm #4906 easyregistrationadminKeymaster Thank you for the URL. We have checked the code with ‘erf_password’ param and can assure that data is being sanitized before proceeding with the execution. It seems to be a false alarm. Please allow us some time to further debug the cause. August 14, 2019 at 10:10 pm #4909 cpalacioParticipant Thank you for your response. Would you mind giving me an estimate of when you will be able to provide me an update regarding your debugging. August 16, 2019 at 5:58 am #4915 easyregistrationadminKeymaster It may take a couple of days. I will get back to you by Tuesday next week. August 19, 2019 at 1:00 pm #4933 cpalacioParticipant Hello, Our Infrastructure team has run another scan and they provided us the report of the site which shows XSS vulnerabilities for the ERForms. Can you provide me an email where I could send the report to? August 19, 2019 at 3:41 pm #4936 easyregistrationadminKeymaster You can send the details at email@example.com Author Posts Viewing 10 posts - 1 through 10 (of 10 total) You must be logged in to reply to this topic.