XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 )

2015-06-14T00:00:00
ID SECURITYVULNS:DOC:32228
Type securityvulns
Reporter Securityvulns
Modified 2015-06-14T00:00:00

Description

Advisory: Adobe Connect Reflected XSS Author: Stas Volfus (Bugsec Information Security LTD) Vendor URL: http://www.adobe.com/ Status: Vendor Notified

========================== Vulnerability Description ==========================

Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS (Cross Site Scripting).

The attack allows execution of arbitrary JavaScript in the context of the user’s browser.

CVE id: CVE-2015-0343 assigned for this issue.

========================== PoC ========================== The following URL demonstrates the vulnerability:

https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=<a href="javascript:alert('XSS')">XSS Link</a>

========================== Disclosure Timeline ==========================

04-NOV-2014 - Vendor notified

01-DEC-2014 - CVE assigned

27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4.

========================== References ========================== http://www.adobe.com/il_en/products/adobeconnect.html https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html