================================================================ Celoxis <= 9.5 - Cross Site Scripting (XSS) ================================================================ Information -------------------- Name: Celoxis <= 9.5 - Cross Site Scripting (XSS) Affected Software : Celoxis Affected Versions: <= 9.5 Vendor Homepage : http://www.celoxis.com Vulnerability Type : Cross Site Scripting Severity : Low CVE: n/a Product -------------------- Celoxis is a web-based project management software. Description -------------------- Exist a vulnerability in the calendar.wm that allow an attacker execute arbitrary javascript in the browser context of a victim. Also, the attacker could steal the cookie because it is not being protected by HTTPOnly flag and is possible avoid the filters with the eval function. Proof of Concept URL -------------------- https://celoxisSite/psa/cal.Calendar.wm?p_ca_date=<script>alert("XSS")</script> Advisory Timeline -------------------- 08/10/2015 - Informed Vendor about Issue 08/10/2015 - Vendor responded 12/11/2015 - Reminded Vendor 14/11/2015 - Vendor responded saying 'they changed the framework itself to handle XSS'. 23/11/2015 - Fix released (vendor informed us) 23/11/2015 - Vulnerability published Credits & Authors -------------------- Manuel Mancera (@sinkmanu) www.a2secure.com Disclaimer ------------------- All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information.