lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKjh9afEZjrGVJ=b2jZifOhhjJsjLZ9HUAhy=thfE=3FgVDMjA@mail.gmail.com> Date: Wed, 5 Nov 2014 10:28:44 -0300 From: Luciano Pedreira <lpedreira@...il.com> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: [FD] CVE-2014-8557 - JExperts Tecnologia - Channel Software Cross Site Scripting Issues CVE-2014-8557 - JExperts Tecnologia / Channel Software Cross Site Scripting Issues Vendor Notified: 2014-10-27 INTRODUCTION: The Channel Platform is an enterprise software project management (or project management) developed by Brazilian company JExperts Technology and present at thousands clients private enterprise and government enterprise. This software consists of an integrated set of solutions in the areas of strategy, projects and processes. This problem was confirmed in the following versions of the Channel, other versions maybe also affected. Version: 5.0.33_CCB DETAILS: The Channel software is affected by Multiple Stored Cross Site Scripting. The variable "usuario.nome" in page ".../channel/usuario.do?action=editarUsuario&id=XXX", accessible in menu "Ferramentas" and submenu "alterar dados pessoais", and the variable "titulo.form" in page "...channel/ticket.do?action=novoChamado", accessible in menu "[incluir solicitação...]" do not sanitize input data, allowing attacker to store malicious javascript code in a page. CREDITS: This vulnerability was discovered and researched by Luciano Pedreira (a.k.a. shark) _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists