High-Tech BridgeHTB23256Reflected Cross-Site Scripting (XSS) in SearchBlox
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.5%
High-Tech Bridge Security Research Lab discovered XSS vulnerability in SearchBlox, which can be exploited to perform Cross-Site Scripting attacks against the vulnerable web application administrators.
Input passed via the “menu2” HTTP GET parameter to “/searchblox/admin/main.jsp” script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and scripting code in his browser in context of the vulnerable website.
A simple XSS exploit below uses the “alert()” JS function to display a box with “ImmuniWeb” word:
http://[host]/searchblox/admin/main.jsp?menu1=adm&menu2=%22%3E%3Cscript%3Eal ert%28%27ImmuniWeb%27%29;%3C/script%3E
| CPE | Name | Operator | Version |
|---|---|---|---|
| searchblox | le | 8.2 |
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.5%