Monday, January 20, 2020

[Lifesize] devices allow XSS via the interface/interface.php brand parameter - CVE-2018-17981

lifesize is a device for video conferences. when entering the web application a popup will be displayed to execute flash, taking that URL and injecting javascript in the "brand" parameter we will see how that code is executed evidencing a cross site scripting

Affected Versions:

lifesize express - ls ex2_4.7.10 2000 (14)
Lifesize Room220i - LS_RM2_4.11.8 (14)

By: @linuxmonr4



0 comentarios:

Post a Comment