Xerox CentreWare Web Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
BID:30151
Info
Xerox CentreWare Web Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 30151 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3121 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 09 2008 12:00AM |
| Updated: | May 07 2015 05:27PM |
| Credit: | These issues were disclosed by Xerox. |
| Vulnerable: |
Xerox CentreWare Web 1.0 Xerox CentreWare Web 4.6 |
| Not Vulnerable: |
Xerox CentreWare Web 4.6.46 |
Discussion
Xerox CentreWare Web Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
Xerox CentreWare Web is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
All versions prior to Xerox CentreWare Web 4.6.46 are vulnerable.
Xerox CentreWare Web is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
All versions prior to Xerox CentreWare Web 4.6.46 are vulnerable.
Exploit / POC
Xerox CentreWare Web Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
An attacker can exploit these issues via a browser. To exploit a cross-site scripting vulnerability, the attacker must entice a victim into following a malicious URI.
An attacker can exploit these issues via a browser. To exploit a cross-site scripting vulnerability, the attacker must entice a victim into following a malicious URI.
Solution / Fix
Xerox CentreWare Web Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
Solution:
The vendor released an advisory and CentreWare Web 4.4.46 to address these issues. Please see the references for more information.
Solution:
The vendor released an advisory and CentreWare Web 4.4.46 to address these issues. Please see the references for more information.
References
Xerox CentreWare Web Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
References:
References:
- CentreWare Web Drivers and Downloads (Xerox)
- CentreWare Web Homepage (Xerox)
- Xerox Security Bulletin XRX08-008 (Xerox)