| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Nov 2014 15:02:45 +0800 From: Jing Wang <justqdjing@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability Exploit Title: Atlas Systems Aeon XSS Vulnerability Product: Aeon Vendor: Atlas Systems Vulnerable Versions: 3.6 3.5 Tested Version: 3.6 Advisory Publication: Nov 12, 2014 Latest Update: Nov 12, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-7290 Solution Status: Fixed by Vendor Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] Advisory Details: (1) Aeon Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians. Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics. (2) However, it is vulnerable to XSS Attacks. (2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action" parameter. (2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form" parameter. Solutions: 2014-09-01: Report vulnerability to Vendor 2014-10-05: Vendor replied with thanks and vendor will change the source code References: http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/ https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes http://cwe.mitre.org http://cve.mitre.org/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists