TennisConnect 9.927 Cross Site Scripting

`*CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting)  
Security Vulnerability*  
  
  
  
  
Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm  
pid Parameter XSS  
Product: TennisConnect COMPONENTS System  
Vendor: TennisConnect  
Vulnerable Versions: 9.927  
Tested Version: 9.927  
Advisory Publication: Nov 18, 2014  
Latest Update: Nov 18, 2014  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: CVE-2014-8490  
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]  
  
  
  
  
  
  
  
  
  
*Advisory Details:*  
  
  
*(1) Vendor URL:*  
http://www.tennisconnect.com/products.cfm#Components  
  
  
*Product Description:*  
TennisConnect COMPONENTS  
* Contact Manager (online player database)  
* Interactive Calendar including online enrollment  
* League & Ladder Management through Tencap Tennis  
* Group Email (including distribution lists, player reports, unlimited  
sending volume and frequency)  
* Multi-Administrator / security system with Page Groups  
* Member Administration  
* MobileBuilder  
* Online Tennis Court Scheduler  
* Player Matching (Find-a-Game)  
* Web Site Builder (hosted web site and editing tools at www. your domain  
name .com)  
  
  
  
  
*(2) Vulnerability Details:*  
  
TennisConnect COMPONENTS System is vulnerable to XSS attacks.  
  
  
*(2.1)* The vulnerability occurs at "/index.cfm?" page, with "&pid"  
parameter.  
  
  
  
  
  
  
  
  
*References:*  
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/  
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490  
  
  
  
  
  
  
  
  
--  
  
Wang Jing  
  
School of Physical and Mathematical Sciences  
  
Nanyang Technological University, Singapore  
  
  
`