############################################################## - S21Sec Advisory - - S21SEC-047-en.txt - ############################################################## Title: Fotoware Fotoweb 8.0 Cross Site Scripting (XSS) ID: S21sec-047-en Severity: Low History: May.2016 Vulnerability discovered June.2016 Vendor contacted July.2016 Vendor patch acknowledge. Scope: Cross Site Scripting XSS Platforms: Any Author: Miguel A. Hernandez / Departamento Auditoria S21sec. Release: Public [ SUMMARY ] Fotoweb is an enterprise grade Digital Asset Management System (DMS). A DMS provides a central repository of pictures and media files. Unfiltered user-supplied data can lead a reflected XSS vulnerability. This allows an attacker to execute arbitrary JavaScript in the context of the browser of a victim if the victim clicks on an attacker supplied link or visits an attacker controlled website. [ AFFECTED VERSIONS ] This vulnerability has been tested and found working on version 8.0.715.5753 [ DESCRIPTION ] An insufficient input validation allows JS code injection in the parameter 'to' in login page. Example: http://fotowebserver/fotoweb/views/login?to=/fotoweb/%22;}%20else%20{%20alert%28%22S21sec%20XSS%22%29;%20}%20if%20%28inIframe%28%29%29%20{%20var%20relleno=%22 [ WORKAROUND ] The reported vulnerability has been reviewed by Fotoware development team. This issue is addressed in FotoWeb 8 Feature Release 8. [ ACKNOWLEDGMENTS ] This vulnerability has been found and researched by: - Miguel A. Hernandez [ Departamento de Auditoria S21sec ] We would like to acknowledge the assistance of Fotoware: - John Fredrik Engeland [ Fotoware Support Manager ] [ REFERENCES ] * Fotoware http://fotoware.com * S21sec http://www.s21sec.com * S21sec Blog http://blog.s21sec.com