# CVE-2021-35475 SAS Environment Manager 2.5 XSS漏洞
# Exploit Title: SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS) # Date: 24/06/2021 # Exploit Author: Luqman Hakim Zahari @ Saitamang # Vendor Homepage: https://support.sas.com/en/software/environment-manager-support.html # Version: 2.5 # Tested on: CentOS 7 # CVE : CVE-2021-35475 # Description # SAS® Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties. # Proof of Concept(PoC) # https://github.com/saitamang/CVE-2021-35475/blob/main/README.md *Steps to Reproduce:* [1.] Login to your system > On "Resource" tab > "Browse"" [2.] Choose a "Platform" [3.] Click "Inventory" tab > Under "Servers" tab click "New..." [4.] Under "General Properties" tab on "Name" field , enter the payload(below) > Filled up other information and click "Ok" button payload : name=XSS">
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容