[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Emerson Network Power Cross Site Scripting(XSS) Vulnerability

To: <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Emerson Network Power Cross Site Scripting(XSS) Vulnerability
From: Kubilay Onur Gungor <kubilay@xxxxxxxxxxxxxxxxx>
Date: Sat, 18 May 2019 14:19:56 +0300

I. VULNERABILITY
-------------------------
httpGetSet/httpGet.htm on
Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the 
statusstr parameter.

II. CVE REFERENCE
-------------------------
CVE-2019-12167

III. VENDOR
-------------------------
Emerson Network Power

IV. TIMELINE
-------------------------
13/05/2019 Vulnerability discovered

V. CREDIT
-------------------------
Kubilay Onur Gungor from Cyber Struggle

VI. DESCRIPTION
-------------------------
Cross Site Scripting (XSS) allows clients to inject scripts into a request and
have the server return the script to the client in the response. This occurs
because the application is taking untrusted data and reusing it
without performing any validation or sanitisation.
A remote user can conduct cross-site scripting attacks.

Affected Component:
Path(inurl): /httpGetSet/httpGet.htm?
Parameter: statusstr

VII. SOLUTION
-------------------------
Update to lastest version.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Blackhole for Bad Bots WordPress Plugin 2.5 - Detection Bypass
Next by Date: [FD] CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting
Previous by thread: [FD] Blackhole for Bad Bots WordPress Plugin 2.5 - Detection Bypass
Next by thread: [FD] CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting
Index(es):
- Date
- Thread