Atlas Systems Aeon 3.5 / 3.6 Cross Site Scripting

2014.11.15
Credit: Wang Jing
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability Exploit Title: Atlas Systems Aeon XSS Vulnerability Product: Aeon Vendor: Atlas Systems Vulnerable Versions: 3.6 3.5 Tested Version: 3.6 Advisory Publication: Nov 12, 2014 Latest Update: Nov 12, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-7290 Solution Status: Fixed by Vendor Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] Advisory Details: (1) Aeon Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians. Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics. (2) However, it is vulnerable to XSS Attacks. (2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action" parameter. (2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form" parameter. Solutions: 2014-09-01: Report vulnerability to Vendor 2014-10-05: Vendor replied with thanks and vendor will change the source code References: http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/ https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes http://cwe.mitre.org http://cve.mitre.org/

Referencje:

http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
http://cwe.mitre.org
http://cve.mitre.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top