Ilient SysAid Multiple Cross Site Scripting and HTML Injection Vulnerabilities
BID:52356
Info
Ilient SysAid Multiple Cross Site Scripting and HTML Injection Vulnerabilities
| Bugtraq ID: | 52356 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 08 2012 12:00AM |
| Updated: | Apr 11 2012 04:50PM |
| Credit: | Julien Ahrens of Vulnerability Research Laboratory |
| Vulnerable: |
Ilient SysAid 8.5.5 |
| Not Vulnerable: |
Ilient SysAid 8.5.8 |
Discussion
Ilient SysAid Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected.
Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected.
Exploit / POC
Ilient SysAid Multiple Cross Site Scripting and HTML Injection Vulnerabilities
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
The following example data is available:
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
The following example data is available:
Solution / Fix
Ilient SysAid Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Solution:
Vendor updates available. Please see the referenes for more information.
Solution:
Vendor updates available. Please see the referenes for more information.
References
Ilient SysAid Multiple Cross Site Scripting and HTML Injection Vulnerabilities
References:
References: