Injection: GeoVision Geowebserver \<= 5.3.3 - Local File Inclusion / Cross-Site Scripting¶

Identifier: geovision_geowebserver_lfi_xss

Scanner(s) Support¶

Description¶

GEOVISION GEOWEBSERVER \<= 5.3.3 is vulnerable to several XSS, HTML Injection, and Local File Include (LFI) vectors. The application fails to properly sanitize user requests, allowing injection of HTML code and XSS, as well as client-side exploitation, including session theft.

Reference:

• https://www.geovision.com.tw/cyber_security.php
• https://www.exploit-db.com/exploits/50211

Configuration¶

Example¶

Example configuration:

---
security_tests:
  geovision_geowebserver_lfi_xss:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.