Vulnerability title: Sonexis ConferenceManager Multiple Cross-site Scripting (XSS) Vulnerabilities
Solutionary ID: SERT-VDN-1005
Solutionary disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/Sonexis-XSS-Vulnerabilities.html
CVE ID: Pending
CVSS risk rating: 3.9
Product: Sonexis ConferenceManager
Application Vendor: Sonexis
Vendor URL: http://www.sonexis.com/products/index.asp
Date discovered: 2011-01-25
Discovered by: Rob Kraus and Solutionary Engineering Research Team (SERT)
Vendor notification date: 2011-02-18
Vendor response date: 2011-03-02
Vendor acknowledgment: 2011-03-02
Public disclosure date: 2011-04-06
Type of vulnerability: Cross-Site Scripting (XSS) - Stored and Reflected
Exploit vectors: Local and Remote
Stored XSS myAddressBook.asp (fname, lname, email_edit, email, email2, email3, sms, sms_id, work) parameters
Reflected XSS (vulnerable on 126.96.36.199 but not on 188.8.131.52) HostLogin.asp (txtConferenceID) parameter ParticipantLogin.asp (txtConferenceID) parameter ForgotPIN.asp (acp) parameter Error.asp (Description, title, Heading) parameters
Tested on: Windows Server 2003 RC2 (SP2) with Sonexis ConferenceManager versions 184.108.40.206 and 220.127.116.11.
Affected software versions: Sonexis ConferenceManager versions 18.104.22.168 (Reflected XSS) and 22.214.171.124 (Stored XSS) (previous versions may also be vulnerable)
Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naпve users to execute the malicious code. Fixed in: Reflected XSS vulnerabilities appear to have been fixed during our testing of version 126.96.36.199. Please consult the vendor for the specific patch addressing the reflected XSS items discovered.
Remediation guidelines: Restrict access to internal network segments and monitor vendor notifications for application updates that may address and fix the issues identified.