Actions
Bug #16934
closedPotential XSS in nmap scan output
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
When performing a scan using nmap_scan.php, the output of the scan is printed to the user without encoding, leading to a potential XSS if a scan is run with the -sV parameter to identify service versions.
When nmap scans a host with the -sV parameter active, it attempts to determine the version of the daemon it detected after finding an open port. If nmap does not recognize the service, it prints the text returned by the scanned service.
If this text returned by the target daemon contains an XSS payload, the page will print it back to the user. For example:
</textarea><svg/onload=alert`XSS`>
Reported by: @lujiefsi
Actions