Vulners
Lucene search
InterWorx Web Control Panel Cross Site Scripting
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | InterWorx Web Control Panel Cross Site Scripting Vulnerability | 26 Mar 201400:00 | – | zdt |
 | CVE-2014-2035 | 27 Feb 201415:55 | – | attackerkb |
 | CVE-2014-2035 | 27 Feb 201415:00 | – | cve |
 | CVE-2014-2035 | 27 Feb 201415:00 | – | cvelist |
 | EUVD-2014-2087 | 7 Oct 202500:30 | – | euvd |
 | CVE-2014-2035 | 27 Feb 201415:55 | – | nvd |
 | InterWorx Web Control Panel Information Disclosure and XSS Vulnerability | 16 Oct 201400:00 | – | openvas |
 | Cross site scripting | 27 Feb 201415:55 | – | prion |
 | [CVE-2014-2035] XSS in InterWorx Web Control Panel <= 5.0.12 | 5 May 201400:00 | – | securityvulns |
| Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 5 May 201400:00 | – | securityvulns |
10
`==============================================
Product: InterWorx Web Control Panel
Vendor: InterWorx LLC
Tested Version: 5.0.12 build 569
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-2035
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Solution Status: Fixed in Version 5.0.13 build 574
Discovered and Provided: Eric Flokstra (www.itsec.nl)
==============================================
About the Vendor
-------------------------
The InterWorx Hosting Control Panel is a web hosting and linux server
management system that provides tools for server administrators to
command their servers and for end users to oversee the operations of
their website.
Advisory Details:
-------------------------
Reflected cross-site scripting (XSS) vulnerability in the InterWorx
Web Control Panel.
The application uses XMLHttpRequests to post messages to the web
server. However, insufficient output encoding is performed enabling
remote execution of arbitrary scripting code in the target's web
browser. By changing the request method from POST to GET the following
URL could be used as proof of concept:
http://demo.interworx.com:2080/xhr.php?i={%22r%22%3a%22Form_InputValidator%22%2c%22i%22%3a{%22form%22%3a%22Form_NW_Shell_ForbiddenUsers%22%2c%22ctrl%22%3a%22\%2fnodeworx\%2fshell%3Cimg%20src%3dx%20onerror%3dalert%28%27XSS%27%29%3E%22%2c%22input%22%3a%22forbidden_unix_users%22%2c%22value%22%3a%22moi%22%2c%22where_was_i%22%3a%22%2fnodeworx%2fshell%22}}
Vendor contact timeline:
------------------------------------
18 Feb 2014: Vendor notification
18 Feb 2014: Vulnerability confirmation
19 Feb 2014: Issue patched
20 Feb 2014: Public disclosure
Solution:
------------
Upgrade to the latest version (5.0.13 build 574) of InterWorx Web Control Panel.
References:
-----------------
[1] InterWorx Changelog - http://www.interworx.com/developers/changelog/
[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Feb 2014 00:00Current
EPSS0.00359