Lucene search
Jakub PalaczynskiPACKETSTORM:150135HistoryNov 02, 2018 - 12:00 a.m.
Loadbalancer.org Enterprise VA MAX Cross Site Scripting
2018-11-0200:00:00
Jakub Palaczynski
packetstormsecurity.com
152
EPSS
0.004
Percentile
74.2%
`Title: Loadbalancer.org Enterprise VA MAX - Unauthenticated Stored XSS
Author: Jakub Palaczynski
Date: 24. July 2018
CVE: CVE-2018-18864
Affected product:
=============
Loadbalancer.org Enterprise VA MAX before 8.3.3
Impact:
======
Remote Code Execution with root privileges.
Vulnerability - Unauthenticated Stored XSS:
===================================
Two instances of Unauthenticated Stored XSS issue were identified in
Loadbalancer.org Enterprise VA MAX:
1. Application takes input from Basic Auth (username) and stores it without
any validation in "Apache Error Log".
This instance works only on HTTPS port.
2. It is possible to inject custom JavaScript code by accessing URL like
/?<XSS>.
Such JavaScript is stored in "Apache User Log".
It works on both - HTTP and HTTPS ports.
Contact:
========
Jakub[dot]Palaczynski[at]gmail[dot]com
`
Related
prion
prion
Design/Logic Flaw
2018-11-20 19:29:00
cvelist
cvelist
CVE-2018-18864
2018-11-20 19:00:00
nvd
nvd
CVE-2018-18864
2018-11-20 19:29:01
cve
cve
CVE-2018-18864
2018-11-20 19:29:01