XSS Vulnerability in Synnefo Client for Synnefo IMS 2015 - CVE-2015-8247 Dec 12 2015 04:31PM
Aravind (altoarun gmail com)
Information

=================================

#Vulnerability type: Cross Site Scripting (XSS)

#Vendor: http://www.synnefoims.com/

#Product: Synnefo Client for Synnefo Internet Management Software

(IMS) 2015 (http://www.synnefoims.com/products.html)

CVE Reference:

=================================

CVE-2015-8247

Technical Details:

=================================

A reflected cross site scripting (XSS) vulnerability was found in synnefoclient

for Synnefo IMS 2015. The vulnerability has been discovered in the plan_name

parameter on the request to fetch the package details for the logged in user.

Request method is GET.

Vulnerable Parameter

=================================

plan_name

Sample Payload with URL

=================================

http://<domain_name>/synnefoclient/packagehistory/listusagesdata?active_
plan=1&uname=<username>&st_date=2015-10-01+08%3A39%3A32&end_date=2015-10
-31+23%3A59%3A59&plan_name=<script>alert(â??xssâ??);</script>

Exploitation Technique:

==================================

Remote

Severity Level:

==================================

High

Timeline

=================================

-Vendor notified - Tue, 27 Oct 2015 11:32:21 +0530

-Vendor responded and acknowledged - Tue, 27 Oct 2015 12:27:50 +0530

Credits & Authors

===================================

Aravind C Ajayan

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus