usd-2018-0001 | Starface/6.4.3.34

Advisory ID: usd-2018-0001
CVE Number: N/A
Affected Product: Starface
Affected Version: 6.4.3.34
Vulnerability Type: Reflected XSS
Security Risk: Medium
Vendor Status: Not fixed

Description

Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept (PoC)

The ‚items‘, ’selected‘ and ‚titleKey‘ parameters of /config/voicebox/display/group.do are vulnerable to XSS.
=> PoC will be published when all issues are fixed.
The ‚items‘, ’selected‘ and ‚titleKey‘ parameters of /config/voicebox/display/user.do are vulnerable to XSS.
=> PoC will be published when all issues are fixed.
The parameters ‚items‘, ‚regex‘, ’selected‘, ‚titleKey‘, ‚width‘ and ‚emptyOption‘ of /template/list.do are vulnerable to XSS.
=> PoC will be published when all issues are fixed.

Fix

Make sure to encode the user supplied input.

Credits

These security vulnerabilities were found by Sebastian Puttkammer of usd AG.

usd-2018-0001 | Starface/6.4.3.34

Description

Proof of Concept (PoC)

Fix

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns