Hello,
we have several application written with Scriptcase.
During a VAPT session, a vulnerability was found regarding the PDF library
Unauthenticated Cross-Site Scripting (XSS)
If you type in your browser the following link:
httpx://server_ip/app/_lib/prod/lib/php/nm_config_pdf.php?nm_target=
‘’
a pop-up appears for configuring pdf export
Is this something that can be solved?
Thank you very much
I solved by modifying the php script nm_config_pdf.php as below, using htmlentities, but I think I will lose the modification on the next update.
Thank you
/**
$Id: nm_config_pdf.php,v 1.1.1.1 2011-05-12 20:31:29 diogo Exp $
*/
session_start();
$opc = (isset($_GET[‘nm_opc’])) ? $_GET[‘nm_opc’] : “”;
$xtarget = (isset($_GET[‘nm_target’])) ? $_GET[‘nm_target’] : “”;
$target = htmlentities($xtarget);