Document Title:
==============
Nokia Solutions and Networks @vantage - Multiple Reflected XSS
Release Date:
============
9 Sep 2015
Abstract Advisory Information:
=============================
Ugur Cihan Koc discovered twentySeven Reflected XSS
vulnerability in Nokia NSN @vantage
Vulnerability Disclosure Timeline:
=================================
24 July 2015 Bug reported to the vendor.
28 July 2015 Asked about the case.
8 Sep 2015 End of support for this product, reported by the vendor
Discovery Status:
================
Published
Affected Product(s):
===================
Nokia NSN @vantage
Exploitation Technique:
======================
Local, Authenticated
Severity Level:
==============
Medium
Technical Details & Description:
===============================
Affected Path/Parameter[27] :
/cftraces/filter/fl_copy.jsp
idFilter
nameFilter
/cftraces/filter/fl_crea1.jsp
flName
/cftraces/process/pr_show_process.jsp
serchStatus
refreshTime
serchNode
/cftraces/session/se_crea.jsp
MaxActivationTime
NumberOfBytes
NumberOfTracefiles
SessionName
serchSessionkind
/cftraces/session/se_show.jsp
serchSessionDescription
/cftraces/session/tr_crea_filter.jsp
serchApplication
serchApplicationkind
/cftraces/session/tr_create_tagg_para.jsp
columKeyUnique
columParameter
componentName
criteria1
criteria2
criteria3
description
filter
id
pathName
tableName
component
/home/certificate_association.jsp
userid
Proof of Concept (PoC):
======================
Proof of Concept
https://drive.google.com/open?id=0B-LWHbwdK3P9eTNKRkdDWGpkN2M
Solution Fix & Patch:
====================
There aren't any fix for the issue. [End of Support]
Security Risk:
=============
The risk of the vulnerability above estimated as medium.
Credits & Authors:
=================
Ugur Cihan Koc(@_uceka_)
Blog: www.uceka.com