===================
"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability
in "Intrexx Professional" product
Vendor
===================
United Planet GmbH
Product
===================
"Intrexx is an integrated cross-platform development environment for the creation
and operation of web-based applications, enterprise portals and intranet portals."
- source: https://en.wikipedia.org/wiki/
Affected versions
===================
This vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10)
and 5.2 (prior to Online Update 0905)
Patch availability
===================
The vendor has released the following fixes:
"Online Update 10" or later for Intrexx Professional 6.0 users
"Online Update 0905" or later for Intrexx Professional 5.2 users
Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Severity
===================
Medium
Exploitability
===================
Victim needs to visit malicious webpage of attacker
Description
===================
Using the request parameter of the search functionality it is possible to execute
Reflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate
victim users (in context of the origin exposing the portal) when logged-in victims
are accessing attacker supplied links/sites.
Proof of concept
===================
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
References
===================
https://help.unitedplanet.com/
https://help.unitedplanet.com/
http://www.christian-
Komentarų nėra:
Rašyti komentarą