# Exploit Title: ServersCheck Monitoring Software before 14.2.3 Cross-site scripting vulnerability # CVE: CVE-2017-17832 # Date: 21-12-2017 # Exploit Author: Aloyce J. Makalanga # Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr> # Vendor Homepage: http://serverscheck.com # Category: webapps # Attack Type: Remote # Impact: Data/Cookie theft ***Disclosure Timeline*** 20-12-2017 - Vulnerability discovered 20-12-2017 - Vulnerability reported to the vendor 21-12-2017 - Vendor responded indicating that a patch will be available within 24 hours 21-12-2017 - Patch released (See https://serverscheck.com/monitoring-software/release.asp <https://serverscheck.com/monitoring-software/release.asp> ) 1. Description ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page). If exploited, an authenticated attacker could steal victims' cookie, session tokens or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. 2. Proof of Concept See: https://serverscheck.com/monitoring-software/release.asp <https://serverscheck.com/monitoring-software/release.asp> 3. Solution: Update to version 14.2.3 http://downloads.serverscheck.com/monitoring_software/setup.exe