Neoscreen 4.5 Cross Site Scripting

2016.07.26
Credit: Alex Haynes
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Exploit Title: Neoscreen Cross-site scripting Product: Neoscreen by Cube Digital Media Vulnerable Versions: 4.5 and all previous versions Tested Version: 4.5 Advisory Publication: July 24, 2016 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: NONE Credit: Alex Haynes Advisory Details: (1) Vendor & Product Description -------------------------------- Vendor: Cube Digital Media Product & Version: Neoscreen digital signage software v4.5 Vendor URL & Download: http://www.cube-display.fr Product Description: "Neoscreen is an innovative, scalable and particularly powerful communication system. With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. " (2) Vulnerability Details: -------------------------- Several URL's in the management software are vulnerable to Cross-site scripting (XSS) attacks. Proof of concept: http://neoscreen/cubelocal//include/session_login.asp?errcode=<script>alert(1)</script> (3) Advisory Timeline: ---------------------- 25/01/2016 - First Contact: vendor responds saying they are working on fix 24/02/2016 - Follow up e-mail to request fix timeline. No vendor response. 03/03/2016 - Follow up e-mail to request fix timeline. No vendor response. 04/03/2016 - Vendor responds saying fix will be available 14/03/2016. (4)Solution: ------------ Upgrade to version 5.0 (5) Credits: ------------ Discovered by Alex Haynes


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top