XSS, LFI and SQL Injection Vulnerabilities in Achievo
Advisory by Netsparker (now Invicti)
Name: XSS, LFI and SQL Injection Vulnerabilities in Achievo
Software: Achievo 1.4.5 and possibly below.
Vendor Homepage: http://www.achievo.org
Vulnerability Type: Cross-Site Scripting, Local File Inclusion and SQL Injection
Researcher: Canberk Bolat
Advisory Reference: NS-12-016
Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organizations to support their business processes in a simple, but effective manner.
Achievo is affected by XSS, LFI, and SQL Injection vulnerabilities in version 1.4.5.
http://example.com/dispatch.php(GET: atklevel, atkaction, atkstackid, atkselector, atkfilter, searchString)
- SQL Injection:
Learn more about Cross-Site Scripting, LFI, and blind SQL Injection vulnerabilities:
23/01/2011 – First contact
25/02/2012 – Second contact – No response
01/11/2012 – Advisory released
It has been discovered on testing of Invicti Web Application Security Scanner.
- MSL Advisory Link: /xss-lfi-and-sql-injection-vulnerabilities-in-achievo/
- Invicti Advisories: /web-applications-advisories/
Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.