-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "infoware MapSuite"
infoware GmbH
MapSuite
This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49
MapSuite MapAPI 1.0.36 and 1.1.49
Both patches are available since 2014-03-26.
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Medium
No authentication required
Using a specially crafted URL to access the MapAPI it is possible to execute Reflected
Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate victim users
(in context of the origin exposing the MapAPI) when logged-in victims are accessing
attacker supplied links.
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible.
MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible.
n/a
2014-03-14 Vulnerability discovered
2014-03-14 Vulnerability responsibly reported to vendor
2014-03-21 Reply from vendor acknowledging report
2014-03-26 Reply from vendor with updated patch (version 1.0.36 and 1.1.49)
meanwhile Verification of the patch by reporting researcher + vendor informed customers
2014-06-01 Advisory published in coordination with vendor via BugTraq
http://www.christian-schneider.net/advisories/CVE-2014-2843.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAlOLhbUACgkQXYAsOfddvFMCUwCdHdnL8J+sizTRxY33OmdWfFlA
2OQAnRb79YiQ/SbwpdMt/Qg7/UCleMZ8
=vW4U
-----END PGP SIGNATURE-----