Verint Impact 360 11.1 Cross Site Scripting

2016-11-08T00:00:00
ID PACKETSTORM:139612
Type packetstorm
Reporter Sanehdeep Singh
Modified 2016-11-08T00:00:00

Description

                                        
                                            `Overview  
========  
  
* Title : Cross Site Scripting Vulnerability In Verint Impact 360  
* Author: Sanehdeep Singh  
* Plugin Homepage: http://www.verint.com  
* Severity: Medium  
* Version Affected: 11.1  
* Version patched: Patches available. Contact Vendor  
  
Description  
===========  
  
About the Product  
=================  
Verint Impact 360 is a quality monitoring/call recording, workforce  
management, performance management, and eLearning help optimize business  
operations, customer relationships,and personnel enterprise-wide  
application.  
  
Vulnerable Parameter  
--------------------  
  
Send Message > Select Employee >  
  
requiredPrivilegeIDs= XSS Payload  
  
About Vulnerability  
-------------------  
Verint Impact 360 application is vulnerable to a Cross Site Scripting  
Vulnerability which allows an attacker to perform the phishing or session  
hijaking attacks. Attackers can redirect the user to fake page to obtain  
the username and passwords or inject scripts to steal the cookies which can  
lead to session hijacking attacks.  
  
Vulnerability Class  
===================  
Cross Site Scripting (  
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)  
  
#Live Poc URL  
https://xxx/wfo/control/emp_selector_pu?selectorName=Employee_GN31&isRefreshOpenerOnClose=false&isMultiSelectEnabled=true&userRequired=false&isShowActiveEmployeesOnly=true&requiredPrivilegeIDs=  
<script>alert("XSS")</script>  
  
Mitigation  
==========  
Contact Verint team for Mitigation.  
  
Disclosure  
==========  
29-August-2016 Reported to Verint Team  
  
Credits  
=======  
* Sanehdeep Singh  
* Senior Consultant  
* ControlCase International Pvt Ltd.  
  
  
`