Vulners
Lucene search
Endeca Latitude 2.2.2 Cross Site Scripting
🗓️ 25 Jun 2014 00:00:00Reported by redteam-pentesting.deType 
packetstorm🔗 packetstormsecurity.com👁 48 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2014-2400 | 16 Apr 201401:00 | – | cve |
 | CVE-2014-2400 | 16 Apr 201401:00 | – | cvelist |
 | EUVD-2014-2436 | 7 Oct 202500:30 | – | euvd |
 | CVE-2014-2400 | 16 Apr 201401:55 | – | nvd |
 | Oracle Critical Patch Update - April 2014 | 15 Apr 201400:00 | – | oracle |
| Oracle Critical Patch Update - April 2014 | 15 Apr 201400:00 | – | oracle |
 | Design/Logic Flaw | 16 Apr 201401:55 | – | prion |
| Design/Logic Flaw | 16 Apr 201401:55 | – | prion |
 | [RT-SA-2013-003] Endeca Latitude Cross-Site Scripting | 15 Oct 201400:00 | – | securityvulns |
| Oracle / Sun / MySQL / PeopleSoft / OpenJDK applications multiple security vulnerabilities | 2 May 201400:00 | – | securityvulns |
10
`Advisory: Endeca Latitude Cross-Site Scripting
RedTeam Pentesting discovered a Cross-Site Scripting (XSS)
vulnerability in Endeca Latitude. By exploiting this vulnerability an
attacker is able to execute arbitrary JavaScript code in the context
of other Endeca Latitude users.
Details
=======
Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003
Advisory Status: published
CVE: CVE-2014-2400
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400
Introduction
============
Endeca Latitude is an enterprise data discovery platform for advanced,
yet intuitive, exploration and analysis of complex and varied data.
Information is loaded from disparate source systems and stored in a
faceted data model that dynamically supports changing data. This
integrated and enriched data is made available for search, discovery,
and analysis via interactive and configurable applications.
(from the vendor's homepage)
More Details
============
Endeca Latitude offers administrators to trigger different functions by
using the following two URLs (see [1]):
* http://example.com/config?op=<supported-operation>
* http://example.com/admin?op=<supported-operation>
When accessing such an URL which uses an invalid value for the HTTP GET
parameter "op", such as
http://example.com/config?op=RedTeam%20Pentesting, an error message is
shown by the webapplication and the invalid value is directly embedded
into the document without prior escaping, which leads to a Cross-Site
Scripting vulnerability.
Proof of Concept
================
As shown by the following URL, an attacker is able to embed arbitrary
JavaScript code into the context of the Endeca Latitude instance:
http://example.com/config?op=<script>alert('RedTeam Pentesting');</script>
Workaround
==========
The vendor did not update the vulnerable software, but recommends to
configure all installations to require mutual authentication using TLS
certificates for both servers and clients, while discouraging users from
installing said client certificates in browsers.
Fix
===
Not available. The vendor did not update the vulnerable software to
remedy this issue.
Security Risk
=============
The vulnerability can be used to embed arbitrary JavaScript code and
therefore offers a wide range of possible attacks such as stealing
cookies or displaying a fake login form. Furthermore, an attacker can use
this vulnerability to control the Endeca Latitude instance by using the
API implemented by its web service (see [2]). The risk of this
vulnerability is therefore considered to be high.
Timeline
========
2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
CPU
2014-03-13 Vendor responded with additional information about a
potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released
References
==========
[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html
[2] http://docs.oracle.com/cd/E29220_01/index.htm
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jun 2014 00:00Current
EPSS0.00442