咬定青山不放松,立根原在破岩中。千磨万击还坚劲,任尔东西南北风

© 竹意 | Powered by LOFTER

CVE-2014-8490 TennisConnect COMPONENTS System XSS

来自:whitehat

CVE-2014-8490  TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability




Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor:    TennisConnect
Vulnerable Versions: 9.927
Tested Version:    9.927
Advisory Publication: Nov 18, 2014
Latest Update:    Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]




Advisory Details:

(1) Vendor URL:
http://www.tennisconnect.com/products.cfm#Components

Product Description:
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain name .com)





(2) Vulnerability Details.

TennisConnect COMPONENTS System is vulnerable to XSS attacks.

(2.1) The vulnerability occurs at "/index.cfm?" page, with "&pid" parameter.





References:

http://packetstormsecurity.com/files/129662/TennisConnect-9.927-Cross-Site-Scripting.html
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8490
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490
http://www.osvdb.org/show/osvdb/116114
http://cve.scap.org.cn/CVE-2014-8490.html
http://en.hackdig.com/?11701.htm
http://itsecurity.lofter.com/
http://seclists.org/fulldisclosure/2014/Dec/83
http://securitypost.tumblr.com/

 
评论
 
回到顶部