JExperts Tecnologia / Channel Software Cross Site Scripting

2014.11.07
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

CVE-2014-8557 - JExperts Tecnologia / Channel Software Cross Site Scripting Issues Vendor Notified: 2014-10-27 INTRODUCTION: The Channel Platform is an enterprise software project management (or project management) developed by Brazilian company JExperts Technology and present at thousands clients private enterprise and government enterprise. This software consists of an integrated set of solutions in the areas of strategy, projects and processes. This problem was confirmed in the following versions of the Channel, other versions maybe also affected. Version: 5.0.33_CCB DETAILS: The Channel software is affected by Multiple Stored Cross Site Scripting. The variable "usuario.nome" in page ".../channel/usuario.do?action=editarUsuario&id=XXX", accessible in menu "Ferramentas" and submenu "alterar dados pessoais", and the variable "titulo.form" in page "...channel/ticket.do?action=novoChamado", accessible in menu "[incluir solicitaão...]" do not sanitize input data, allowing attacker to store malicious javascript code in a page. CREDITS: This vulnerability was discovered and researched by Luciano Pedreira (a.k.a. shark)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top