lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFWG0-hXB28mCC6h3XkmWYaH6R4-REvyOU-oqpXx_B2O8snTsQ@mail.gmail.com>
Date: Thu, 12 Feb 2015 17:44:30 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting)
	Security Vulnerabilities

*CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*


Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: Cit-e-Access
Vendor: Cit-e-Net
Vulnerable Versions: Version 6
Tested Version: Version 6
Advisory Publication: Feb 12, 2015
Latest Update: Feb 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8753
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





*Advisory Details:*
*(1) Vendor & Product Description:*

*Vendor:*
Cit-e-Net

*Product & Version: *
Cit-e-Access
Version 6

*Vendor URL & Download: *
Cit-e-Net can be downloaded from here,
https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf
http://demo.cit-e.net/
http://www.cit-e.net/demorequest.cfm
http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1&TPID=17

*Product Introduction:*
"We are a premier provider of Internet-based solutions encompassing web
site development and modular interactive e-government applications which
bring local government, residents and community businesses together."

"Cit-e-Net provides a suite of on-line interactive services to counties,
municipalities, and other government agencies, that they in turn can offer
to their constituents. The municipal government achieves a greater degree
of efficiency and timeliness in conducting the daily operations of
government, while residents receive improved and easier access to city hall
through the on-line access to government services."




*(2) Vulnerability Details:*
Cit-e-Access has a security problem. It can be exploited by XSS attacks.

*(2.1)* The first vulnerability occurs at "/eventscalendar/index.cfm?" page
with "&DID" parameter in HTTP GET.

*(2.2)* The second vulnerability occurs at "/search/index.cfm?" page with
"&keyword" parameter in HTTP POST.

*(2.3)* The third vulnerability occurs at "/news/index.cfm" page with
"&jump2" "&DID" parameter in HTTP GET.

*(2.4)* The fourth vulnerability occurs at "eventscalendar?" page with
"&TPID" parameter in HTTP GET.

*(2.5) *The fifth vulnerability occurs at "/meetings/index.cfm?" page with
"&DID" parameter in HTTP GET.




*(3) Solutions:*
Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm









*References:*
http://tetraph.com/security/cves/cve-2014-8753-cit-e-net-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-8753-cit-e-net-multiple-xss.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8753
https://security-tracker.debian.org/tracker/CVE-2014-8753
http://www.cvedetails.com/cve/CVE-2014-8753/
http://www.security-database.com/detail.php?alert=CVE-2014-8753
http://packetstormsecurity.com/files/cve/CVE-2014-8753
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://www.pentest.it/cve-2014-8753.html
http://www.naked-security.com/cve/CVE-2014-8753/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-8753/
http://007software.net/cve-2014-8753/
https://itinfotechnology.wordpress.com/2015/02/12/cve-2014-8753/
https://security-tracker.debian.org/tracker/CVE-2014-8753







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists