CVE-2014-3740

Spiceworks < 7.2.00190 - Authenticated Cross-Site Scripting via Ticket Summary Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3740. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This exploit demonstrates multiple stored XSS vulnerabilities in SpiceWorks Ticketing system version 7.2.00174. The PoC shows how an attacker can inject malicious JavaScript into ticket titles or system settings, which executes when an admin views the tickets or settings.

Description

Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dolev Farhi · textwebappswindows

https://www.exploit-db.com/exploits/33330

View Code ZIP pw:eip

This exploit demonstrates multiple stored XSS vulnerabilities in SpiceWorks Ticketing system version 7.2.00174. The PoC shows how an attacker can inject malicious JavaScript into ticket titles or system settings, which executes when an admin views the tickets or settings.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: SpiceWorks Ticketing System 7.2.00174

Auth required

Prerequisites: Access to create a ticket or modify system settings · Admin user interaction to view the malicious content

MITRE ATT&CK