NetCracker Resource Management System 8.0 Cross Site Scripting

2015-07-22T00:00:00
ID PACKETSTORM:132807
Type packetstorm
Reporter Chia Junyuan
Modified 2015-07-22T00:00:00

Description

                                        
                                            `# Vulnerability type: Cross-site Scripting   
# Vendor: http://www.netcracker.com/  
# Product: NetCracker Resource Management System  
# Affected version: =< 8.0  
# Patched version: 8.2  
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan  
# CVE ID: CVE-2015-2207  
  
# PROOF OF CONCEPT (XSS)  
  
Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker  
Resource Management System and earlier allows authenticated users to  
inject arbitrary javascript via multiple parameters.  
  
# VULNERABLE PARAMETERS:  
ctrl  
- t90001_0_theform_selection  
- _scroll  
- tableName  
- parent  
- circuit  
- return  
- xname  
- mpTransactionId  
- (etc...)  
  
# SAMPLE PAYLOAD  
- <script>alert("XSS")</script>  
  
# TIMELINE  
- 28/02/2015: Vulnerability found  
- 13/03/2015: Vendor informed  
- 13/03/2015: Vendor responded and acknowledged  
- 19/05/2015: Vendor fixed the issue  
- 22/07/2015: Public disclosure  
`