lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Nov 2014 10:28:44 -0300
From: Luciano Pedreira <lpedreira@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] CVE-2014-8557 - JExperts Tecnologia - Channel Software Cross
 Site Scripting Issues

CVE-2014-8557 - JExperts Tecnologia / Channel Software Cross Site Scripting
Issues
Vendor Notified: 2014-10-27


INTRODUCTION:

The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company

JExperts Technology and present at thousands clients private enterprise and
government enterprise. This software consists of an integrated set of
solutions in the areas of strategy, projects and processes.


This problem was confirmed in the following versions of the Channel, other
versions maybe also affected.

Version: 5.0.33_CCB


DETAILS:

The Channel software is affected by Multiple Stored Cross Site Scripting.
The variable "usuario.nome" in page
".../channel/usuario.do?action=editarUsuario&id=XXX", accessible in menu
"Ferramentas" and submenu "alterar dados pessoais", and the variable
"titulo.form" in page "...channel/ticket.do?action=novoChamado", accessible
in menu "[incluir solicitação...]" do not sanitize input data, allowing
attacker to store malicious javascript code in a page.



CREDITS:

This vulnerability was discovered and researched by Luciano Pedreira
(a.k.a. shark)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists