Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31534
HistoryDec 22, 2014 - 12:00 a.m.

CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional"

2014-12-2200:00:00
vulners.com
70

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-2026

"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability
in "Intrexx Professional" product

Vendor

United Planet GmbH

Product

"Intrexx is an integrated cross-platform development environment for the creation
and operation of web-based applications, enterprise portals and intranet portals."

Affected versions

This vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10)
and 5.2 (prior to Online Update 0905)

Patch availability

The vendor has released the following fixes:
"Online Update 10" or later for Intrexx Professional 6.0 users
"Online Update 0905" or later for Intrexx Professional 5.2 users

Reported by

This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.

Severity

Medium

Exploitability

Victim needs to visit malicious webpage of attacker

Description

Using the request parameter of the search functionality it is possible to execute
Reflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate
victim users (in context of the origin exposing the portal) when logged-in victims
are accessing attacker supplied links/sites.

Proof of concept

Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.

References

https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018

https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=32&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=32#{1}

http://www.christian-schneider.net/advisories/CVE-2014-2026.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBAgAGBQJUjhC3AAoJEEDB74comLC+PQEP/3uN8CfRfZWMrWjcjZUl/OQf
d9ohQf1xyHxqC2IARrJcYVTHP1i/4VhnkFGd2Q0yrRqVEzlN84qgyXArkBW9RDkR
OgMkT3oqIERywpq3M9A91Jdb5LrdiFCKPj9kBbcXmsgsgZIPXlJSCQ92IoyepTrL
rYw9mUUkN+qxu07xPS2gdzYtpv51PoW2svZFnQKEbXa9wl8Yw5PcPqvYJkxG/TJv
KDD1U0k9d7Y5mLlvnVil8ANvDoXVD5YrNFX80pHi0hBbMQvchj2OOpq8Mia7IIjK
E4GjfshwZ4XZfSlNEu7ESoKdXxOwbm9M2N5a5DwiuXOwQLh6UKrZRPQMzz6L3HyX
KBjAodTGMPGtO8YHTJVsWIQpsB+gENUudxpcOJ8jnHMOwEp8T0zMHeWjaZpj2Gzm
3jrRjuScT8FzJMEudBSLFwZy+Ce6rC9PA4mmPqNKADW+E32vmt17HV1wO007k84H
LgmBkpvGh+ZefIhCNfKm6i6PfxFePqQZMycAJYwdF1P3IpVRHVW/o45XAyWZHOjU
/wRJpwlETJjSicibVcbx7hZxv1gjPwOoePeyMK6PciD0W3jdjRsABaOfQeJ5gQgL
BGfrziuu0uBnMTFWM5OJD8WW4qdWmgjQEh+xH4HErWOAV5VQJFABmkIfWfVD6vhK
yHJz6lRSMRhhVCxL6E3A
=fTQM
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:31534