Home / os / winmobile

NetCracker Resource Management System 8.0 Cross Site Scripting

Posted on 23 July 2015

# Vulnerability type: Cross-site Scripting # Vendor: http://www.netcracker.com/ # Product: NetCracker Resource Management System # Affected version: =< 8.0 # Patched version: 8.2 # Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan # CVE ID: CVE-2015-2207 # PROOF OF CONCEPT (XSS) Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker Resource Management System and earlier allows authenticated users to inject arbitrary javascript via multiple parameters. # VULNERABLE PARAMETERS: ctrl - t90001_0_theform_selection - _scroll - tableName - parent - circuit - return - xname - mpTransactionId - (etc...) # SAMPLE PAYLOAD - <script>alert("XSS")</script> # TIMELINE - 28/02/2015: Vulnerability found - 13/03/2015: Vendor informed - 13/03/2015: Vendor responded and acknowledged - 19/05/2015: Vendor fixed the issue - 22/07/2015: Public disclosure

 

TOP