CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional"

2014-12-22T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-2026 =================== "Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "Intrexx Professional" product Vendor =================== United Planet GmbH Product =================== "Intrexx is an integrated cross-platform development environment for the creation and operation of web-based applications, enterprise portals and intranet portals." - source: https://en.wikipedia.org/wiki/Intrexx Affected versions =================== This vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10) and 5.2 (prior to Online Update 0905) Patch availability =================== The vendor has released the following fixes: "Online Update 10" or later for Intrexx Professional 6.0 users "Online Update 0905" or later for Intrexx Professional 5.2 users Reported by =================== This issue was reported to the vendor by Christian Schneider (@cschneider4711) following a responsible disclosure process. Severity =================== Medium Exploitability =================== Victim needs to visit malicious webpage of attacker Description =================== Using the request parameter of the search functionality it is possible to execute Reflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate victim users (in context of the origin exposing the portal) when logged-in victims are accessing attacker supplied links/sites. Proof of concept =================== Due to the responsible disclosure process chosen and to not harm unpatched systems, no concrete exploit code will be presented in this advisory. References =================== https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018 https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=32&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=32#{1} http://www.christian-schneider.net/advisories/CVE-2014-2026.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQIcBAEBAgAGBQJUjhC3AAoJEEDB74comLC+PQEP/3uN8CfRfZWMrWjcjZUl/OQf d9ohQf1xyHxqC2IARrJcYVTHP1i/4VhnkFGd2Q0yrRqVEzlN84qgyXArkBW9RDkR OgMkT3oqIERywpq3M9A91Jdb5LrdiFCKPj9kBbcXmsgsgZIPXlJSCQ92IoyepTrL rYw9mUUkN+qxu07xPS2gdzYtpv51PoW2svZFnQKEbXa9wl8Yw5PcPqvYJkxG/TJv KDD1U0k9d7Y5mLlvnVil8ANvDoXVD5YrNFX80pHi0hBbMQvchj2OOpq8Mia7IIjK E4GjfshwZ4XZfSlNEu7ESoKdXxOwbm9M2N5a5DwiuXOwQLh6UKrZRPQMzz6L3HyX KBjAodTGMPGtO8YHTJVsWIQpsB+gENUudxpcOJ8jnHMOwEp8T0zMHeWjaZpj2Gzm 3jrRjuScT8FzJMEudBSLFwZy+Ce6rC9PA4mmPqNKADW+E32vmt17HV1wO007k84H LgmBkpvGh+ZefIhCNfKm6i6PfxFePqQZMycAJYwdF1P3IpVRHVW/o45XAyWZHOjU /wRJpwlETJjSicibVcbx7hZxv1gjPwOoePeyMK6PciD0W3jdjRsABaOfQeJ5gQgL BGfrziuu0uBnMTFWM5OJD8WW4qdWmgjQEh+xH4HErWOAV5VQJFABmkIfWfVD6vhK yHJz6lRSMRhhVCxL6E3A =fTQM -----END PGP SIGNATURE-----

{"id": "SECURITYVULNS:DOC:31534", "bulletinFamily": "software", "title": "CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional"", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nCVE-2014-2026\r\n===================\r\n"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability\r\nin "Intrexx Professional" product\r\n\r\n\r\nVendor\r\n===================\r\nUnited Planet GmbH\r\n\r\n\r\nProduct\r\n===================\r\n"Intrexx is an integrated cross-platform development environment for the creation \r\nand operation of web-based applications, enterprise portals and intranet portals."\r\n - source: https://en.wikipedia.org/wiki/Intrexx\r\n\r\n\r\nAffected versions\r\n===================\r\nThis vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10) \r\nand 5.2 (prior to Online Update 0905)\r\n\r\n\r\nPatch availability\r\n===================\r\nThe vendor has released the following fixes:\r\n"Online Update 10" or later for Intrexx Professional 6.0 users\r\n"Online Update 0905" or later for Intrexx Professional 5.2 users\r\n\r\n\r\nReported by\r\n===================\r\nThis issue was reported to the vendor by Christian Schneider (@cschneider4711) \r\nfollowing a responsible disclosure process.\r\n\r\n\r\nSeverity\r\n===================\r\nMedium\r\n\r\n\r\nExploitability\r\n===================\r\nVictim needs to visit malicious webpage of attacker\r\n\r\n\r\nDescription\r\n===================\r\nUsing the request parameter of the search functionality it is possible to execute \r\nReflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate \r\nvictim users (in context of the origin exposing the portal) when logged-in victims \r\nare accessing attacker supplied links/sites.\r\n\r\n\r\nProof of concept\r\n===================\r\nDue to the responsible disclosure process chosen and to not harm unpatched systems, \r\nno concrete exploit code will be presented in this advisory.\r\n\r\n\r\nReferences\r\n===================\r\nhttps://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018\r\n\r\nhttps://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=32&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=32#{1}\r\n\r\nhttp://www.christian-schneider.net/advisories/CVE-2014-2026.txt\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (Darwin)\r\n\r\niQIcBAEBAgAGBQJUjhC3AAoJEEDB74comLC+PQEP/3uN8CfRfZWMrWjcjZUl/OQf\r\nd9ohQf1xyHxqC2IARrJcYVTHP1i/4VhnkFGd2Q0yrRqVEzlN84qgyXArkBW9RDkR\r\nOgMkT3oqIERywpq3M9A91Jdb5LrdiFCKPj9kBbcXmsgsgZIPXlJSCQ92IoyepTrL\r\nrYw9mUUkN+qxu07xPS2gdzYtpv51PoW2svZFnQKEbXa9wl8Yw5PcPqvYJkxG/TJv\r\nKDD1U0k9d7Y5mLlvnVil8ANvDoXVD5YrNFX80pHi0hBbMQvchj2OOpq8Mia7IIjK\r\nE4GjfshwZ4XZfSlNEu7ESoKdXxOwbm9M2N5a5DwiuXOwQLh6UKrZRPQMzz6L3HyX\r\nKBjAodTGMPGtO8YHTJVsWIQpsB+gENUudxpcOJ8jnHMOwEp8T0zMHeWjaZpj2Gzm\r\n3jrRjuScT8FzJMEudBSLFwZy+Ce6rC9PA4mmPqNKADW+E32vmt17HV1wO007k84H\r\nLgmBkpvGh+ZefIhCNfKm6i6PfxFePqQZMycAJYwdF1P3IpVRHVW/o45XAyWZHOjU\r\n/wRJpwlETJjSicibVcbx7hZxv1gjPwOoePeyMK6PciD0W3jdjRsABaOfQeJ5gQgL\r\nBGfrziuu0uBnMTFWM5OJD8WW4qdWmgjQEh+xH4HErWOAV5VQJFABmkIfWfVD6vhK\r\nyHJz6lRSMRhhVCxL6E3A\r\n=fTQM\r\n-----END PGP SIGNATURE-----\r\n\r\n", "published": "2014-12-22T00:00:00", "modified": "2014-12-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31534", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-2026"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:56", "edition": 1, "viewCount": 53, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2026"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14155"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-2026"]}]}, "exploitation": null, "vulnersScore": 0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647552764, "score": 1659803227}, "_internal": {"score_hash": "1171d18f7eb122e2e18260ba6a13aca3"}}

{"cve": [{"lastseen": "2022-03-23T12:30:42", "description": "Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.", "cvss3": {}, "published": "2014-12-19T15:59:00", "type": "cve", "title": "CVE-2014-2026", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2026"], "modified": "2018-10-09T19:43:00", "cpe": ["cpe:/a:unitedplanet:intrexx:5.2", "cpe:/a:unitedplanet:intrexx:6.0"], "id": "CVE-2014-2026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2026", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:unitedplanet:intrexx:5.2:*:*:*:professional:*:*:*", "cpe:2.3:a:unitedplanet:intrexx:6.0:*:*:*:professional:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:49:55", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-12-22T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-8340", "CVE-2014-2025", "CVE-2014-9218", "CVE-2014-9325", "CVE-2014-9215", "CVE-2014-9219", "CVE-2014-9129", "CVE-2014-9367", "CVE-2014-8793", "CVE-2014-9277", "CVE-2014-8724", "CVE-2014-8875", "CVE-2014-2026"], "modified": "2014-12-22T00:00:00", "id": "SECURITYVULNS:VULN:14155", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14155", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}

CVE-2014-2026 Reflected Cross-Site Scripting &#40;XSS&#41; in &quot;Intrexx Professional&quot;

Description

Related

CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional"