Vulnerability Note VU#665280
Accela Civic Platform Citizen Access portal contains multiple vulnerabilities
Accela Civic Platform Citizen Access portal contains cross-site scripting and arbitrary file upload vulnerabilities.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-5660
Accela Civic Platform Citizen Access portal contains a cross-site scripting (XSS) vulnerability in the iframeid parameter of AttachmentsList.aspx.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. A remote, authenticated attacker may bypass file restrictions and upload arbitrary files, leading to arbitrary code execution with application privileges.
Contact the vendor
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Accela||Affected||23 May 2016||07 Jul 2016|
CVSS Metrics (Learn More)
Thanks to Ahmed Sherif of OffensiveBits for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2016-5660 CVE-2016-5661
- Date Public: 13 Jul 2016
- Date First Published: 13 Jul 2016
- Date Last Updated: 13 Jul 2016
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.