Serena Business Manager Cross Site Scripting

2016.02.13

Credit: Zeroday.pro Labs

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Serena Business Manager < 10.01 DOM XSS Vulnerability
# Date: 11-feb-16
# Exploit Author: Zeroday.pro Labs
# Software Link: https://www.serena.com/index.php/en/products/it-process-portal-management/sbm/overview/
# Version: Tested and working on 10.01.04.01.1068 (build 10)
Serena Business Manager is vulnerable to a DOM cross-site scripting (XSS) attack. The attack allows execution of arbitrary JavaScript in the context of the user?s browser.
Vulnerability resides in source location.href at tmtrack.dll and sink jQuery.html
Example:
The SBM User Workspace cannot be embedded in another frame.<br><a href=http://link/tmtrack/tmtrack.dll target=_new>1337</a>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Serena Business Manager Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.