NCH Software Inventoria 3.45 Cross Site Scripting

2014-01-30T00:00:00
ID PACKETSTORM:124987
Type packetstorm
Reporter LiquidWorm
Modified 2014-01-30T00:00:00

Description

                                        
                                            `  
NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability  
  
  
Vendor: NCH Software  
Product web page: http://www.nchsoftware.com  
Affected version: 3.45  
  
Summary: Inventoria is a business inventory management and stock control  
software that allows you to manage and monitor your inventory to help  
streamline your operations and boost profits.  
  
Desc: The application suffers from a reflected XSS issue due to a failure  
to properly sanitize user-supplied input to the 'id' GET parameter in the  
'locdelete' (JSP) script. Attackers can exploit this weakness to execute  
arbitrary HTML and script code in a user's browser session.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2014-5167  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5167.php  
  
  
20.01.2014  
  
--  
  
  
- http://zslabws03:1097/locdelete?id=1"><script>alert(document.cookie);</script>  
`