# Vulnerability type: Cross-site Scripting
# Vendor: http://www.netcracker.com/
# Product: NetCracker Resource Management System
# Affected version: =< 8.0
# Patched version: 8.2
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
# CVE ID: CVE-2015-2207
# PROOF OF CONCEPT (XSS)
Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker
Resource Management System and earlier allows authenticated users to
inject arbitrary javascript via multiple parameters.
# VULNERABLE PARAMETERS:
ctrl
- t90001_0_theform_selection
- _scroll
- tableName
- parent
- circuit
- return
- xname
- mpTransactionId
- (etc...)
# SAMPLE PAYLOAD
- <script>alert("XSS")</script>
# TIMELINE
- 28/02/2015: Vulnerability found
- 13/03/2015: Vendor informed
- 13/03/2015: Vendor responded and acknowledged
- 19/05/2015: Vendor fixed the issue
- 22/07/2015: Public disclosure
Komentarų nėra:
Rašyti komentarą