Disclosure date:  08/12/19

CVE-2019-14987

Adive Framework 2.0.7 and possibly before are affected by a Cross-Site Scripting vulnerability in the Create New Table and Create New Menu Link functions.  This could lead to cookie stealing and other malicious actions.  This vulnerability can be exploited with the authenticated administrator account.

Select Create New Table:





Populate the description with XSS:





When selecting Create Table:






We view the XSS exploitation.  

Going through the same process with the Create New Menu Link function:






Populate the description with XSS:






When selecting Create Link:






We view the XSS exploitation.  

Viewing the Add Table Burp POST request:





And the source for the corresponding form:






Viewing the Add Nav Burp POST request:






And the source for the corresponding form: