Atlas Systems Aeon 3.5 / 3.6 Cross Site Scripting

2014.11.15
Credit: Wang Jing
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability Exploit Title: Atlas Systems Aeon XSS Vulnerability Product: Aeon Vendor: Atlas Systems Vulnerable Versions: 3.6 3.5 Tested Version: 3.6 Advisory Publication: Nov 12, 2014 Latest Update: Nov 12, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-7290 Solution Status: Fixed by Vendor Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] Advisory Details: (1) Aeon Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians. Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics. (2) However, it is vulnerable to XSS Attacks. (2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action" parameter. (2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form" parameter. Solutions: 2014-09-01: Report vulnerability to Vendor 2014-10-05: Vendor replied with thanks and vendor will change the source code References: http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/ https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes http://cwe.mitre.org http://cve.mitre.org/

References:

http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
http://cwe.mitre.org
http://cve.mitre.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top