| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CFDE9F8F-0325-4270-8DBB-5A390E781313@cyberstruggle.org>
Date: Sat, 18 May 2019 14:20:40 +0300
From: Kubilay Onur Gungor <kubilay@...erstruggle.org>
To: <bugtraq@...urityfocus.com>
Subject: Emerson Network Power Cross Site Scripting(XSS) Vulnerability
I. VULNERABILITY
-------------------------
httpGetSet/httpGet.htm on
Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter.
II. CVE REFERENCE
-------------------------
CVE-2019-12167
III. VENDOR
-------------------------
Emerson Network Power
IV. TIMELINE
-------------------------
13/05/2019 Vulnerability discovered
V. CREDIT
-------------------------
Kubilay Onur Gungor from Cyber Struggle
VI. DESCRIPTION
-------------------------
Cross Site Scripting (XSS) allows clients to inject scripts into a request and
have the server return the script to the client in the response. This occurs
because the application is taking untrusted data and reusing it
without performing any validation or sanitisation.
A remote user can conduct cross-site scripting attacks.
Affected Component:
Path(inurl): /httpGetSet/httpGet.htm?
Parameter: statusstr
VII. SOLUTION
-------------------------
Update to lastest version.
Powered by blists - more mailing lists