Verint Impact 360 version 11.1 suffers from a cross site scripting vulnerability.
54466b5060b6fd427f94d75478de5e4cab2d71ef2d0fa9d482daec21fc337374
Overview
========
* Title : Cross Site Scripting Vulnerability In Verint Impact 360
* Author: Sanehdeep Singh
* Plugin Homepage: http://www.verint.com
* Severity: Medium
* Version Affected: 11.1
* Version patched: Patches available. Contact Vendor
Description
===========
About the Product
=================
Verint Impact 360 is a quality monitoring/call recording, workforce
management, performance management, and eLearning help optimize business
operations, customer relationships,and personnel enterprise-wide
application.
Vulnerable Parameter
--------------------
Send Message > Select Employee >
requiredPrivilegeIDs= XSS Payload
About Vulnerability
-------------------
Verint Impact 360 application is vulnerable to a Cross Site Scripting
Vulnerability which allows an attacker to perform the phishing or session
hijaking attacks. Attackers can redirect the user to fake page to obtain
the username and passwords or inject scripts to steal the cookies which can
lead to session hijacking attacks.
Vulnerability Class
===================
Cross Site Scripting (
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
#Live Poc URL
https://xxx/wfo/control/emp_selector_pu?selectorName=Employee_GN31&isRefreshOpenerOnClose=false&isMultiSelectEnabled=true&userRequired=false&isShowActiveEmployeesOnly=true&requiredPrivilegeIDs=
<script>alert("XSS")</script>
Mitigation
==========
Contact Verint team for Mitigation.
Disclosure
==========
29-August-2016 Reported to Verint Team
Credits
=======
* Sanehdeep Singh
* Senior Consultant
* ControlCase International Pvt Ltd.