-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-2026
===================
"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability
in "Intrexx Professional" product
Vendor
===================
United Planet GmbH
Product
===================
"Intrexx is an integrated cross-platform development environment for the creation
and operation of web-based applications, enterprise portals and intranet portals."
- source: https://en.wikipedia.org/wiki/Intrexx
Affected versions
===================
This vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10)
and 5.2 (prior to Online Update 0905)
Patch availability
===================
The vendor has released the following fixes:
"Online Update 10" or later for Intrexx Professional 6.0 users
"Online Update 0905" or later for Intrexx Professional 5.2 users
Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Severity
===================
Medium
Exploitability
===================
Victim needs to visit malicious webpage of attacker
Description
===================
Using the request parameter of the search functionality it is possible to execute
Reflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate
victim users (in context of the origin exposing the portal) when logged-in victims
are accessing attacker supplied links/sites.
Proof of concept
===================
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
References
===================
https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018
https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=32&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=32#{1}
http://www.christian-schneider.net/advisories/CVE-2014-2026.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iQIcBAEBAgAGBQJUjhC3AAoJEEDB74comLC+PQEP/3uN8CfRfZWMrWjcjZUl/OQf
d9ohQf1xyHxqC2IARrJcYVTHP1i/4VhnkFGd2Q0yrRqVEzlN84qgyXArkBW9RDkR
OgMkT3oqIERywpq3M9A91Jdb5LrdiFCKPj9kBbcXmsgsgZIPXlJSCQ92IoyepTrL
rYw9mUUkN+qxu07xPS2gdzYtpv51PoW2svZFnQKEbXa9wl8Yw5PcPqvYJkxG/TJv
KDD1U0k9d7Y5mLlvnVil8ANvDoXVD5YrNFX80pHi0hBbMQvchj2OOpq8Mia7IIjK
E4GjfshwZ4XZfSlNEu7ESoKdXxOwbm9M2N5a5DwiuXOwQLh6UKrZRPQMzz6L3HyX
KBjAodTGMPGtO8YHTJVsWIQpsB+gENUudxpcOJ8jnHMOwEp8T0zMHeWjaZpj2Gzm
3jrRjuScT8FzJMEudBSLFwZy+Ce6rC9PA4mmPqNKADW+E32vmt17HV1wO007k84H
LgmBkpvGh+ZefIhCNfKm6i6PfxFePqQZMycAJYwdF1P3IpVRHVW/o45XAyWZHOjU
/wRJpwlETJjSicibVcbx7hZxv1gjPwOoePeyMK6PciD0W3jdjRsABaOfQeJ5gQgL
BGfrziuu0uBnMTFWM5OJD8WW4qdWmgjQEh+xH4HErWOAV5VQJFABmkIfWfVD6vhK
yHJz6lRSMRhhVCxL6E3A
=fTQM
-----END PGP SIGNATURE-----
{"id": "SECURITYVULNS:DOC:31534", "bulletinFamily": "software", "title": "CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional"", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nCVE-2014-2026\r\n===================\r\n"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability\r\nin "Intrexx Professional" product\r\n\r\n\r\nVendor\r\n===================\r\nUnited Planet GmbH\r\n\r\n\r\nProduct\r\n===================\r\n"Intrexx is an integrated cross-platform development environment for the creation \r\nand operation of web-based applications, enterprise portals and intranet portals."\r\n - source: https://en.wikipedia.org/wiki/Intrexx\r\n\r\n\r\nAffected versions\r\n===================\r\nThis vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10) \r\nand 5.2 (prior to Online Update 0905)\r\n\r\n\r\nPatch availability\r\n===================\r\nThe vendor has released the following fixes:\r\n"Online Update 10" or later for Intrexx Professional 6.0 users\r\n"Online Update 0905" or later for Intrexx Professional 5.2 users\r\n\r\n\r\nReported by\r\n===================\r\nThis issue was reported to the vendor by Christian Schneider (@cschneider4711) \r\nfollowing a responsible disclosure process.\r\n\r\n\r\nSeverity\r\n===================\r\nMedium\r\n\r\n\r\nExploitability\r\n===================\r\nVictim needs to visit malicious webpage of attacker\r\n\r\n\r\nDescription\r\n===================\r\nUsing the request parameter of the search functionality it is possible to execute \r\nReflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate \r\nvictim users (in context of the origin exposing the portal) when logged-in victims \r\nare accessing attacker supplied links/sites.\r\n\r\n\r\nProof of concept\r\n===================\r\nDue to the responsible disclosure process chosen and to not harm unpatched systems, \r\nno concrete exploit code will be presented in this advisory.\r\n\r\n\r\nReferences\r\n===================\r\nhttps://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018\r\n\r\nhttps://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=32&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=32#{1}\r\n\r\nhttp://www.christian-schneider.net/advisories/CVE-2014-2026.txt\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (Darwin)\r\n\r\niQIcBAEBAgAGBQJUjhC3AAoJEEDB74comLC+PQEP/3uN8CfRfZWMrWjcjZUl/OQf\r\nd9ohQf1xyHxqC2IARrJcYVTHP1i/4VhnkFGd2Q0yrRqVEzlN84qgyXArkBW9RDkR\r\nOgMkT3oqIERywpq3M9A91Jdb5LrdiFCKPj9kBbcXmsgsgZIPXlJSCQ92IoyepTrL\r\nrYw9mUUkN+qxu07xPS2gdzYtpv51PoW2svZFnQKEbXa9wl8Yw5PcPqvYJkxG/TJv\r\nKDD1U0k9d7Y5mLlvnVil8ANvDoXVD5YrNFX80pHi0hBbMQvchj2OOpq8Mia7IIjK\r\nE4GjfshwZ4XZfSlNEu7ESoKdXxOwbm9M2N5a5DwiuXOwQLh6UKrZRPQMzz6L3HyX\r\nKBjAodTGMPGtO8YHTJVsWIQpsB+gENUudxpcOJ8jnHMOwEp8T0zMHeWjaZpj2Gzm\r\n3jrRjuScT8FzJMEudBSLFwZy+Ce6rC9PA4mmPqNKADW+E32vmt17HV1wO007k84H\r\nLgmBkpvGh+ZefIhCNfKm6i6PfxFePqQZMycAJYwdF1P3IpVRHVW/o45XAyWZHOjU\r\n/wRJpwlETJjSicibVcbx7hZxv1gjPwOoePeyMK6PciD0W3jdjRsABaOfQeJ5gQgL\r\nBGfrziuu0uBnMTFWM5OJD8WW4qdWmgjQEh+xH4HErWOAV5VQJFABmkIfWfVD6vhK\r\nyHJz6lRSMRhhVCxL6E3A\r\n=fTQM\r\n-----END PGP SIGNATURE-----\r\n\r\n", "published": "2014-12-22T00:00:00", "modified": "2014-12-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31534", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-2026"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:56", "edition": 1, "viewCount": 53, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2026"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14155"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-2026"]}]}, "exploitation": null, "vulnersScore": 0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647552764, "score": 1659803227}, "_internal": {"score_hash": "1171d18f7eb122e2e18260ba6a13aca3"}}