NetCracker Resource Management System versions 8.0 and below suffer from multiple cross site scripting vulnerabilities.
919ec0379fdf91eec0154ace839eb6d6c2a1ed54c9f07a49617f729d6eeb7926# Vulnerability type: Cross-site Scripting
# Vendor: http://www.netcracker.com/
# Product: NetCracker Resource Management System
# Affected version: =< 8.0
# Patched version: 8.2
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
# CVE ID: CVE-2015-2207
# PROOF OF CONCEPT (XSS)
Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker
Resource Management System and earlier allows authenticated users to
inject arbitrary javascript via multiple parameters.
# VULNERABLE PARAMETERS:
ctrl
- t90001_0_theform_selection
- _scroll
- tableName
- parent
- circuit
- return
- xname
- mpTransactionId
- (etc...)
# SAMPLE PAYLOAD
- <script>alert("XSS")</script>
# TIMELINE
- 28/02/2015: Vulnerability found
- 13/03/2015: Vendor informed
- 13/03/2015: Vendor responded and acknowledged
- 19/05/2015: Vendor fixed the issue
- 22/07/2015: Public disclosure
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed