Adiscon LogAnalyzer 4.1.6 Cross Site Scripting

2018.12.08
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Cross-Site Scripting in Adiscon LogAnalyzer (CVE-2018-19877) Credit: Gustavo Sorondo / http://www.cintainfinita.com Vendor/Product: Adiscon LogAnalyzer (https://loganalyzer.adiscon.com/ https://github.com/rsyslog/loganalyzer) Vulnerability: Cross-Site Scripting (XSS) Vulnerable version: 4.1.6 and earlier Fixed in: 4.1.7 CVE: CVE-2018-19877 ## Vulnerability Details Adiscon LogAnalyzer before 4.1.7 is affected by Cross-Site Scripting (XSS) in the 'referer' parameter of the login.php file. Proof of Concept: http://my.loganalyzer.instance/login.php?referer=%22%3E%3Cscript%3Ealert('Cinta%20Infinita')%3C/script%3E ## Vulnerability Disclosure Timeline 2018-11-26 - Vulnerability discovered by Cinta Infinita 2018-11-28 - Vulnerability reported to Adiscon 2018-12-04 - Vulnerability confirmed by Adiscon 2018-12-05 - Issue is fixed and version 4.1.7 is released. 2018-12-05 - CVE-2018-19877 is assigned 2018-12-05 - Full disclosure ## Related fixes and releases https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/ https://github.com/rsyslog/loganalyzer/commit/367b50aa1a5a3eaefacd5fa9be397e6b6480168e#diff-fd4f9de25c2c01b55759936a6cc4b029 ## About Cinta Infinita Cinta Infinita offers Information Security related services. Our Headquarters are in Buenos Aires, Argentina. For more information, visit http://cintainfinita.com -- Ing. Gustavo M. Sorondo Cinta Infinita - CTO Web: http://cintainfinita.com LinkedIn: https://www.linkedin.com/in/gustavosorondo GPG: http://www.cintainfinita.com/gpg/gs-pkey.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top