Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [SYSS-2015-020] ZENWorks Mobile Management - Cross-Site Scripting

  ZCMS SQL Injection & Persistent XSS

  Nakid-CMS CSRF, Persistent XSS & LFI

  [KIS-2015-03] Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability

From:stasvolfus_(at)_gmail.com <stasvolfus_(at)_gmail.com>
Date:14 июня 2015 г.
Subject:XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 )



Advisory: Adobe Connect Reflected XSS
Author: Stas Volfus (Bugsec Information Security LTD)
Vendor URL: http://www.adobe.com/
Status: Vendor Notified


==========================
Vulnerability Description
==========================

Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS (Cross Site Scripting).

The attack allows execution of arbitrary JavaScript in the context of the user’s browser.

CVE id: CVE-2015-0343  assigned  for this issue.



==========================
PoC
==========================
The following URL demonstrates the vulnerability:

https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-
rows=1&filter-start=0&now=yes&query=<a href="javascript:alert('XSS')">XSS Link</a>



==========================
Disclosure Timeline
==========================

04-NOV-2014 - Vendor notified

01-DEC-2014 - CVE assigned

27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4.


==========================
References
==========================
http://www.adobe.com/il_en/products/adobeconnect.html
https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.
html

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород