myDBR – myDBR – Version 5.8.3/4262 – Cross Site Request Forgery (CSRF) Token Injection to Cross-Site Scripting (XSS).
The login page of myDBR appears to be vulnerable to client-side code injection. The injected code is delivered in the form of a CSRF token. The token in question “csrf_token” is used to populate the login form.
The Following error will now pupulate the following page, this is due to an invalid CSRF token having been entered.
csrf error in login: <br>POST value:<script>alert("ECSC_POC")</script><br>Session value:3b8307d568087b37b0a590ef657ef10611863bd926b50e4b82097c075236bdec<br><br>Try deleting the mydbr-id cookie from the browser (if you do not see it, try HTTPS)`