| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201611080717.uA87HAQZ018072@sf01web3.securityfocus.com>
Date: Tue, 8 Nov 2016 07:17:10 GMT
From: sanehsingh@...trolcase.com
To: bugtraq@...urityfocus.com
Subject: Cross Site Scripting Vulnerability In Verint Impact 360
Overview
========
* Title : Cross Site Scripting Vulnerability In Verint Impact 360
* Author: Sanehdeep Singh
* Plugin Homepage: http://www.verint.com
* Severity: Medium
* Version Affected: 11.1
* Version patched: Patches available. Contact Vendor
Description
===========
About the Product
=================
Verint Impact 360 is a quality monitoring/call recording, workforce management, performance management, and eLearning help optimize business operations, customer relationships,and personnel enterprise-wide application.
Vulnerable Parameter
--------------------
Send Message > Select Employee >
requiredPrivilegeIDs= XSS Payload
About Vulnerability
-------------------
Verint Impact 360 application is vulnerable to a Cross Site Scripting Vulnerability which allows an attacker to perform the phishing or session hijaking attacks. Attackers can redirect the user to fake page to obtain the username and passwords or inject scripts to steal the cookies which can lead to session hijacking attacks.
Vulnerability Class
===================
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
#Live Poc URL
https://xxx/wfo/control/emp_selector_pu?selectorName=Employee_GN31&isRefreshOpenerOnClose=false&isMultiSelectEnabled=true&userRequired=false&isShowActiveEmployeesOnly=true&requiredPrivilegeIDs=<script>alert("XSS")</script>
Mitigation
==========
Contact Verint team for Mitigation.
Disclosure
==========
29-August-2016 Reported to Verint Team
Credits
=======
* Sanehdeep Singh
* Senior Consultant
* ControlCase International Pvt Ltd.
Powered by blists - more mailing lists