Vulnerability type: Cross-site Scripting
Product: NetCracker Resource Management System
Affected version: =< 8.0
Patched version: 8.2
Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
CVE ID: CVE-2015-2207
PROOF OF CONCEPT (XSS)
Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker
Resource Management System and earlier allows authenticated users to
inject arbitrary javascript via multiple parameters.
VULNERABLE PARAMETERS:
ctrl
- t90001_0_theform_selection
- _scroll
- tableName
- parent
- circuit
- return
- xname
- mpTransactionId
- (etc…)
SAMPLE PAYLOAD
- <script>alert("XSS")</script>
TIMELINE
- 28/02/2015: Vulnerability found
- 13/03/2015: Vendor informed
- 13/03/2015: Vendor responded and acknowledged
- 19/05/2015: Vendor fixed the issue
- 22/07/2015: Public disclosure