lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFWG0-i1yLop7hHs8ZJaChcy=OqyQFm5LkO8qyHESVbNGZwyYA@mail.gmail.com>
Date: Thu, 13 Nov 2014 15:02:45 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting)
	Vulnerability

CVE-2014-7290  Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability


Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





Advisory Details:

(1) Aeon

Aeon is special collections circulation and workflow automation software
for your special collections library designed by special collections
librarians.

Aeon improves customer service and staff efficiency while providing
unparalleled item tracking, security and statistics.



(2) However, it is vulnerable to XSS Attacks.

(2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action"
parameter.
(2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form"
parameter.




Solutions:
2014-09-01: Report vulnerability to Vendor
2014-10-05: Vendor replied with thanks and vendor will change the source
code





References:
http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
http://cwe.mitre.org
http://cve.mitre.org/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ