Injection: GeoVision Geowebserver \<= 5.3.3 - Local File Inclusion / Cross-Site Scripting¶

Identifier: geovision_geowebserver_lfi_xss

Scanner(s) Support¶

Description¶

GEOVISION GEOWEBSERVER \<= 5.3.3 is vulnerable to XSS, HTML injection, and local file inclusion vectors due to improper input sanitization, potentially allowing session theft and client-side exploitation.

How we test: We test for XSS, HTML injection, and LFI vulnerabilities in GeoVision Geowebserver by injecting malicious payloads and file path payloads, then analyzing responses to detect if scripts are executed or local files are included.

Reference:

• https://www.geovision.com.tw/cyber_security.php
• https://www.exploit-db.com/exploits/50211

Configuration¶

Example¶

Example configuration:

---
security_tests:
  geovision_geowebserver_lfi_xss:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.