Lucene search

K

SearchBlox 8.2 Cross Site Scripting Vulnerability

🗓️ 22 Jun 2015 00:00:00Reported by High-Tech BridgeType 
zdt
 zdt
🔗 0day.today👁 24 Views

SearchBlox 8.2 XSS Vulnerabilit

Show more
Related
Code
ReporterTitlePublishedViews
Family
htbridge
Reflected Cross-Site Scripting (XSS) in SearchBlox
22 Apr 201500:00
htbridge
NVD
CVE-2015-3422
18 Jun 201518:59
nvd
Packet Storm
SearchBlox 8.2 Cross Site Scripting
17 Jun 201500:00
packetstorm
Cvelist
CVE-2015-3422
18 Jun 201518:00
cvelist
Prion
Cross site scripting
18 Jun 201518:59
prion
securityvulns
Reflected Cross-Site Scripting (XSS) in SearchBlox
21 Jun 201500:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
21 Jun 201500:00
securityvulns
CVE
CVE-2015-3422
18 Jun 201518:59
cve
Vendor: SearchBlox Software, Inc.
Vulnerable Version(s): 8.2 and probably prior
Tested Version: 8.2
Advisory Publication:  April 22, 2015  [without technical details]
Vendor Notification: April 22, 2015 
Vendor Patch: May 26, 2015 
Public Disclosure: June 17, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-3422
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered XSS vulnerability in SearchBlox, which can be exploited to perform Cross-Site Scripting attacks against the vulnerable web application administrators.

Input passed via the "menu2" HTTP GET parameter to "/searchblox/admin/main.jsp" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and scripting code in his browser in context of the vulnerable website.

A simple XSS exploit below uses the "alert()" JS function to display a box with "ImmuniWeb" word:

http://[host]/searchblox/admin/main.jsp?menu1=adm&menu2=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E


-----------------------------------------------------------------------------------------------

Solution:

Update to SearchBlox 8.2.1

#  0day.today [2018-04-12]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
22 Jun 2015 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.003
24
.json
Report