Lucene search
High-Tech Bridge1337DAY-ID-22216HistoryMay 08, 2014 - 12:00 a.m.
Offiria 2.1.0 Cross Site Scripting Vulnerability
2014-05-0800:00:00
High-Tech Bridge
0day.today
22
0.003 Low
EPSS
Percentile
63.7%
Offiria version 2.1.0 suffers from a cross site scripting vulnerability.
Product: Offiria
Vendor: Slashes & Dots Sdn Bhd.
Vulnerable Version(s): 2.1.0 and probably prior
Tested Version: 2.1.0
Advisory Publication: April 2, 2014 [without technical details]
Vendor Notification: April 2, 2014
Public Disclosure: May 7, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-2689
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Offiria, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.
1) Reflected Cross-Site Scripting (XSS) in Offiria: CVE-2014-2689
The vulnerability exists due to insufficient sanitisation of user-supplied data in URI after "/installer/index.php" script that is not removed from the system by default. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The following exploitation example displays "immuniweb" word:
http://[host]/installer/index.php/%22onmouseover%3d%22alert%28%27immuniweb%27%29;%22%3d%22%3E
-----------------------------------------------------------------------------------------------
Solution:
Currently we are not aware of any official solution for this vulnerability. The vendor did not respond to:
- 6 notifications by email
- 1 notification via twitter
- 1 notification via GitHub
As a temporary solution it is recommended to remove the vulnerable script or restrict access to it via .htaccess file or WAF.
# 0day.today [2018-04-13] #Related
prion
prion
Cross site scripting
2014-05-08 14:29:00
htbridge
htbridge
Cross-Site Scripting (XSS) in Offiria
2014-04-02 00:00:00
securityvulns
securityvulns
[oss-security] CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities
2014-05-10 00:00:00
Cross-Site Scripting (XSS) in Offiria
2014-05-10 00:00:00
openvas
openvas
Offiria Cross-Site Scripting Vulnerability
2015-05-27 00:00:00
cve
cve
CVE-2014-2689
2014-05-08 14:29:00
packetstorm
packetstorm
Offiria 2.1.0 Cross Site Scripting
2014-05-07 00:00:00
cvelist
cvelist
CVE-2014-2689
2014-05-08 14:00:00