NetCracker Resource Management 8.0 - XSS Vulnerability

2015-07-27T00:00:00
ID SECURITYVULNS:DOC:32365
Type securityvulns
Reporter Securityvulns
Modified 2015-07-27T00:00:00

Description

Vulnerability type: Cross-site Scripting

Vendor: http://www.netcracker.com/

Product: NetCracker Resource Management System

Affected version: =< 8.0

Patched version: 8.2

Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan

CVE ID: CVE-2015-2207

PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker Resource Management System and earlier allows authenticated users to inject arbitrary javascript via multiple parameters.

VULNERABLE PARAMETERS:

ctrl - t90001_0_theform_selection - _scroll - tableName - parent - circuit - return - xname - mpTransactionId - (etc...)

SAMPLE PAYLOAD

  • <script>alert("XSS")</script>

TIMELINE

  • 28/02/2015: Vulnerability found
  • 13/03/2015: Vendor informed
  • 13/03/2015: Vendor responded and acknowledged
  • 19/05/2015: Vendor fixed the issue
  • 22/07/2015: Public disclosure