NCH Software Inventoria 3.45 Cross Site Scripting

Type packetstorm
Reporter LiquidWorm
Modified 2014-01-30T00:00:00


NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability  
Vendor: NCH Software  
Product web page:  
Affected version: 3.45  
Summary: Inventoria is a business inventory management and stock control  
software that allows you to manage and monitor your inventory to help  
streamline your operations and boost profits.  
Desc: The application suffers from a reflected XSS issue due to a failure  
to properly sanitize user-supplied input to the 'id' GET parameter in the  
'locdelete' (JSP) script. Attackers can exploit this weakness to execute  
arbitrary HTML and script code in a user's browser session.  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2014-5167  
Advisory URL:  
- http://zslabws03:1097/locdelete?id=1"><script>alert(document.cookie);</script>