SIK-2017-055


Title:

Reflective XSS on greenalp.com via RealTime GPS Tracker App

Report ID

SIK-2017-055

Summary:

  • Vendor: Greenalp
  • Product: greenalp.com (website)
  • Affected Version: last accessed 2017-08-16
  • Severity: Medium
  • Short summary: A reflective XSS on greenalp.com in an error page

Details:

With a prepared link like

https://www.greenalp.com/realtimetracker/index.php?error=User+has+disabled+access+for+not+authorized+susers%3C/div%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

an adversary can inject Javascript reflectively.

Workaround

None.

Suggested Mitigation

The error message should not be set in a GET parameter of the URL.

Timeline

  • 2017-08-26: Vulnerability discovered
  • 2017-08-29: First email sent to support
  • 2017-08-30: Advisory sent to developer
  • 2017-08-31: Fixed by developer
  • 2018-08-11: Published