Parameter injection leads to reflected file download

AnoopOjha · February 2018

I am using GSA 7.6.0.G.58. in our current AEM site. we are facing one vulnerability issue in our site, while through inspect element someone is injecting <a href="h***s://www.sitename.us/suggest?callback=calc" download="setup.bat" onclick="return false;">DOWNLOAD YOUR

FILE</a> , they able to download setup.bat file which is showing some GSA info.

this is happening only through inspect element and not through browser hit.

If anyone has faced the similar issue. please help me out.

Sven · February 2018

what is GSA 7.6.0.G.58 ?

AnoopOjha · February 2018

I am using GSA version 7.6.0.G.58.

Sven · February 2018

we never had such version and GSA is the company name.

AnoopOjha · February 2018

I guess I posted this in the wrong forum. I am sorry:)

Sven · February 2018

please enlighten us what software you where talking about.

Parameter injection leads to reflected file download

Comments