Title: ====== NexorONE Online Banking - Multiple Cross Site Vulnerabilities Date: ===== 2012-02-04 References: =========== http://www.vulnerability-lab.com/get_content.php?id=304 VL-ID: ===== 304 Introduction: ============= NexorONE is the leading online banking software provider for Private International banks, Offshore Financian Institutions, Savings and Loans, Credit unions, Investmenet Fund Managers and Payement Processing Companies. NexorONE has already been demployed to more than 200 financial entities worldwide, spread out throught 20 countries and in 12 different languages. with this market experience we know we can fulfill your business demands. (Copy of the Vendor Homepage: https://www.nexorone.com/ ) Abstract: ========= Vulnerability-Lab Team (Chokri B.A.) discovered multiple non-persistent Cross Site Scripting vulnerabilities on the NexorONE Online Banking Software. Report-Timeline: ================ 2011-10-05: Vendor Notification 1 2011-11-13: Vendor Notification 2 2011-12-17: Vendor Notification 3 2012-02-04: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A non-persistent cross site scripting vulnerability is detected on the NexorONE Online Banking Software. Successful exploitation of the vulnerability allows an attacker to hijack user/mod/admin sessions of the portal. Vulnerable file(s): [+] login.php Vulnerable Param(s): [+] ?visitor_language= [+] ?message= Picture(s): ../1.png ../2.png ../3.png Proof of Concept: ================= The vulnerabilities can be exploited by remote attackers with required user inter action. For demonstration or reproduce ... PoC 1:
_QUESTION_NEW_CUSTOMER " tabindex="4">_REGISTER <=[x]
PoC 2:
_QUESTION_NEW_CUSTOMER