I. VULNERABILITY ------------------------- XSS Reflected vulnerability in RiverBed Stingray Traffic Manager Virtual Appliance V 9.6 II. BACKGROUND ------------------------- Silver Peak VX software marries the cost and flexibility benefits of virtualization with the performance gains associated with Silver Peak WAN optimization technology. III. DESCRIPTION ------------------------- Has been detected a XSS Reflected vulnerability in Riverbed Stingray Traffic Manager Virtual Appliance V 9.6 "/apps/zxtm/locallog.cgi?logfile=" parameter "logfile" in version 9.6, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter "logfile" https://10.200.210.108:9090/apps/zxtm/locallog.cgi?logfile=aaaa<script alert(document.cookie);</script> V. BUSINESS IMPACT ------------------------- Vulnerability allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser and Session hijacking. VI. REQUIREMENTS ----------------------- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED ------------------------- Try version 9.6 (patchlevel 9620140312) VIII. SOLUTION ------------------------- All parameter must be validated. Riverbed not information about fix.