CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability Exploit Title: Atlas Systems Aeon XSS Vulnerability Product: Aeon Vendor: Atlas Systems Vulnerable Versions: 3.6 3.5 Tested Version: 3.6 Advisory Publication: Nov 12, 2014 Latest Update: Nov 12, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-7290 Solution Status: Fixed by Vendor Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] Advisory Details: (1) Aeon Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians. Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics. (2) However, it is vulnerable to XSS Attacks. (2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action" parameter. (2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form" parameter. Solutions: 2014-09-01: Report vulnerability to Vendor 2014-10-05: Vendor replied with thanks and vendor will change the source code References: http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/ https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes http://cwe.mitre.org http://cve.mitre.org/