To exploit persistent Cross Site Scripting, Rapid7 entered the following information within the login
Next, we logged into Segue2 as an administrator and open the “Browse Logs” page for Harmoni. Below
is a screenshot of the page:
This attack can be used in gaining administrator privileges on the Segue2 system. An attacker only needs
to perform a GET request with the administrator’s session information with the request and then review
the web server logs to extract the information.
Found during Rapid7 security audit.