| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Jul 2016 11:33:12 GMT From: alex_haynes@...look.com To: bugtraq@...urityfocus.com Subject: Neoscreen v4.5 Cross-site scripting Exploit Title: Neoscreen Cross-site scripting Product: Neoscreen by Cube Digital Media Vulnerable Versions: 4.5 and all previous versions Tested Version: 4.5 Advisory Publication: July 24, 2016 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: NONE Credit: Alex Haynes Advisory Details: (1) Vendor & Product Description -------------------------------- Vendor: Cube Digital Media Product & Version: Neoscreen digital signage software v4.5 Vendor URL & Download: http://www.cube-display.fr Product Description: "Neoscreen is an innovative, scalable and particularly powerful communication system. With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. " (2) Vulnerability Details: -------------------------- Several URL's in the management software are vulnerable to Cross-site scripting (XSS) attacks. Proof of concept: http://neoscreen/cubelocal//include/session_login.asp?errcode=<script>alert(1)</script> (3) Advisory Timeline: ---------------------- 25/01/2016 - First Contact: vendor responds saying they are working on fix 24/02/2016 - Follow up e-mail to request fix timeline. No vendor response. 03/03/2016 - Follow up e-mail to request fix timeline. No vendor response. 04/03/2016 - Vendor responds saying fix will be available 14/03/2016. (4)Solution: ------------ Upgrade to version 5.0 (5) Credits: ------------ Discovered by Alex Haynes
Powered by blists - more mailing lists