NolaPro Enterprise Cross Site Scripting and SQL Injection Vulnerabilities

Bugtraq ID:	39875
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	May 01 2010 12:00AM
Updated:	May 01 2010 12:00AM
Credit:	ekse
Vulnerable:	NolaPro NolaPro Enterprise 4.0.5538
Not Vulnerable:	NolaPro NolaPro Enterprise 4.0.5720

NolaPro Enterprise Cross Site Scripting and SQL Injection Vulnerabilities

NolaPro Enterprise is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NolaPro Enterprise 4.0.5538 is vulnerable; other versions may also be affected.

NolaPro Enterprise Cross Site Scripting and SQL Injection Vulnerabilities

An attacker can exploit these issues via a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

The following example URIs are available:

• /data/vulnerabilities/exploits/39875.txt

NolaPro Enterprise Cross Site Scripting and SQL Injection Vulnerabilities

Solution:
The vendor released an update to address this issue. Please see the references for more information.

NolaPro Enterprise Cross Site Scripting and SQL Injection Vulnerabilities

References:

• CORELAN-10-035 NolaPro Enterprise Multiple Vulnerabilities (corelan)
  
• Vendor Homepage (NolaPro)