Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability

Bugtraq ID:	39999
Class:	Input Validation Error
CVE:	CVE-2010-1905
Remote:	Yes
Local:	No
Published:	May 07 2010 12:00AM
Updated:	Apr 13 2015 09:02PM
Credit:	Rubén Santamarta
Vulnerable:	Consona Consona Subscriber Assistance 0 Consona Consona Live Assistance 0 Consona Consona Dynamic Agent 0
Not Vulnerable:

Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability

Multiple Consona (formerly SupportSoft) products are prone to a cross-site scripting vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials; other attacks are possible.

The following are vulnerable:
Consona Live Assistance
Consona Dynamic Agent
Consona Subscriber Assistance

Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

The following example URIs are available:

• /data/vulnerabilities/exploits/39999.txt

Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability

Solution:
Updates are available; please see the references for more information.

Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability

References:

• Consona (formerly SupportSoft) Intelligent Assistance Suite (IAS) cross-site scr (US-CERT)
  
• Consona Homepage (Consona)
  
• Wintercore releases an advisory for Consona products. (Wintercore)
  
• [Wintercore Research] Consona Products - Multiple vulnerabilities ([email protected])
  
• SecurityBulletin_April2010.pdf (Consona)