Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32365
HistoryJul 27, 2015 - 12:00 a.m.

NetCracker Resource Management 8.0 - XSS Vulnerability

2015-07-2700:00:00
vulners.com
35

Vulnerability type: Cross-site Scripting

Vendor: http://www.netcracker.com/

Product: NetCracker Resource Management System

Affected version: =< 8.0

Patched version: 8.2

Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan

CVE ID: CVE-2015-2207

PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker
Resource Management System and earlier allows authenticated users to
inject arbitrary javascript via multiple parameters.

VULNERABLE PARAMETERS:

ctrl

  • t90001_0_theform_selection
  • _scroll
  • tableName
  • parent
  • circuit
  • return
  • xname
  • mpTransactionId
  • (etc…)

SAMPLE PAYLOAD

  • <script>alert("XSS")</script>

TIMELINE

  • 28/02/2015: Vulnerability found
  • 13/03/2015: Vendor informed
  • 13/03/2015: Vendor responded and acknowledged
  • 19/05/2015: Vendor fixed the issue
  • 22/07/2015: Public disclosure
Related for SECURITYVULNS:DOC:32365