WiredRed EPOP XSS Vulnerability

2006.02.11
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

WiredRed EPOP XSS Vulnerability ---Summary--- Software Affected: EPOP WebConference Server Software Versions: 4.1.0.755 Vendors URL: www.wiredred.com Vulnerability Type: Cross Site Scripting Proof of Concept: An exploit is not required Threat Level: Low ---Product Description--- e/pop from WiredRed provides a complete solution for all of your real-time communications requirements: web and desktop video conferencing, secure IM and alert messaging. As a user, you'll love the hassle free interface and breadth of options that will enhance your training, sales and collaboration. ---Vulnerability Description--- When creating public or private conferences in e/pop server, the topic name is not properly sanitized. This allows for a xss attack in which every user who visits the root (login) page for the e/pop web server can be fooled into entering their login information on a remote server among other things. By default, e/pop is enabled without or with optional SSL connections to the web server. Any standard authenticated user can perform this attack on all other users or visitors of the web server. ---Solution--- None at this time. ---credit--- Adrian Castro _____________________________________________________________ Thank you for choosing LinuxQuestions. http://www.linuxquestions.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top