Fog Imaging System 0.32 Cross Site Scripting

2014-05-13T00:00:00
ID PACKETSTORM:126608
Type packetstorm
Reporter Dolev Farhi
Modified 2014-05-13T00:00:00

Description

                                        
                                            `Vulnerability title: Multiple Stored Cross-Site scripting   
  
CVE: CVE-2014-3111  
  
Vendor: FOG Project  
  
Product: FOG Imaging system  
  
Affected version: 0.27 – 0.32(latest)  
  
Fixed version: N/A  
  
Reported by: Dolev Farhi  
  
  
  
----------------------------  
VULNERABILITY Details:  
----------------------------  
Latest and earlier versions of fog image deployment system (0.27 through  
0.32) are vulnerable to multiple persistent   
Cross-Site scripting in various resource management pages.  
By creating a printer, a new system image or a storage resource with  
malicious code e.g. (code) <script>alert(“sample”)</script>  
it is possible for a malicious user to execute client-side scripts once a  
user or possibly an admin attempts to load any of the resource management  
pages.  
  
  
-------------------------------------  
VULNERABLE FOG RESOURCES  
-------------------------------------  
XSS Vulnerable resources:  
  
1.Printer Management  
  
2.Image Management  
  
3.Storage Management  
  
4.User Cleanup   
  
  
--------------------------  
PROOF OF CONCEPT  
--------------------------  
https://www.youtube.com/watch?v=tFCLDAH35jU  
`