Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adiscon LogAnalyzer 4.1.6 Cross Site Scripting

🗓️ 07 Dec 2018 00:00:00Reported by Gustavo SorondoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 235 Views

Adiscon LogAnalyzer 4.1.6 Cross Site Scripting vulnerability in 'referer' parameter of login.ph

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting Vulnerability
9 Dec 201800:00
zdt
CVE		CVE-2018-19877
5 Dec 201821:00
cve
Cvelist		CVE-2018-19877
5 Dec 201821:00
cvelist
Exploit DB		Adiscon LogAnalyzer < 4.1.7 - Cross-Site Scripting
9 Dec 201800:00
exploitdb
EUVD		EUVD-2018-11551
7 Oct 202500:30
euvd
exploitpack		Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting
9 Dec 201800:00
exploitpack
Nuclei		Adiscon LogAnalyzer <4.1.7 - Cross-Site Scripting
6 Jun 202603:01
nuclei
NVD		CVE-2018-19877
5 Dec 201821:29
nvd
OpenVAS		Adiscon LogAnalyzer <= 4.1.6 XSS Vulnerability - Active Check
12 Dec 201800:00
openvas
OSV		UBUNTU-CVE-2018-19877
5 Dec 201821:29
osv
Rows per page
`Title: Cross-Site Scripting in Adiscon LogAnalyzer (CVE-2018-19877)  
Credit: Gustavo Sorondo / http://www.cintainfinita.com  
Vendor/Product: Adiscon LogAnalyzer (https://loganalyzer.adiscon.com/  
https://github.com/rsyslog/loganalyzer)  
Vulnerability: Cross-Site Scripting (XSS)  
Vulnerable version: 4.1.6 and earlier  
Fixed in: 4.1.7  
CVE: CVE-2018-19877  
  
## Vulnerability Details  
  
Adiscon LogAnalyzer before 4.1.7 is affected by Cross-Site Scripting (XSS)  
in the 'referer' parameter of the login.php file.  
  
Proof of Concept:  
http://my.loganalyzer.instance/login.php?referer=%22%3E%3Cscript%3Ealert('Cinta%20Infinita')%3C/script%3E  
  
## Vulnerability Disclosure Timeline  
  
2018-11-26 - Vulnerability discovered by Cinta Infinita  
2018-11-28 - Vulnerability reported to Adiscon  
2018-12-04 - Vulnerability confirmed by Adiscon  
2018-12-05 - Issue is fixed and version 4.1.7 is released.  
2018-12-05 - CVE-2018-19877 is assigned  
2018-12-05 - Full disclosure  
  
## Related fixes and releases  
  
https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/  
https://github.com/rsyslog/loganalyzer/commit/367b50aa1a5a3eaefacd5fa9be397e6b6480168e#diff-fd4f9de25c2c01b55759936a6cc4b029  
  
## About Cinta Infinita  
  
Cinta Infinita offers Information Security related services. Our  
Headquarters are in Buenos Aires, Argentina.  
For more information, visit http://cintainfinita.com  
  
--  
Ing. Gustavo M. Sorondo  
Cinta Infinita - CTO  
Web: http://cintainfinita.com  
LinkedIn: https://www.linkedin.com/in/gustavosorondo  
GPG: http://www.cintainfinita.com/gpg/gs-pkey.txt  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Dec 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.12498
adiscon loganalyzercross-site scriptingxsscve-2018-19877cinta infinitabuenos aires
235