SIK-2017-055

Title:

Reflective XSS on greenalp.com via RealTime GPS Tracker App

Report ID

SIK-2017-055

Summary:

Vendor: Greenalp
Product: greenalp.com (website)
Affected Version: last accessed 2017-08-16
Severity: Medium
Short summary: A reflective XSS on greenalp.com in an error page

Details:

With a prepared link like

https://www.greenalp.com/realtimetracker/index.php?error=User+has+disabled+access+for+not+authorized+susers%3C/div%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

an adversary can inject Javascript reflectively.

Workaround

None.

Suggested Mitigation

The error message should not be set in a GET parameter of the URL.

Timeline

2017-08-26: Vulnerability discovered
2017-08-29: First email sent to support
2017-08-30: Advisory sent to developer
2017-08-31: Fixed by developer
2018-08-11: Published