CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Web Application Zero Day Bug
Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor: TennisConnect
Vulnerable Versions: 9.927
Tested Version: 9.927
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
Advisory Details:
(1) Vendor & Product Description:
Vendor:
TennisConnect
Product & Vulnerable Versions:
TennisConnect COMPONENTS System
9.927
Vendor URL & Download:
Product can be obtained from here,
http://www.tennisconnect.com/products.cfm#Components
Product Description:
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain name .com)
(2) Vulnerability Details.
TennisConnect COMPONENTS System web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. TennisConnect COMPONENTS System has patched some of them. "Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there.". It has listed similar exploits, such as Bugtraq (Security Focus) 32920.
TennisConnect COMPONENTS System has a security problem. It is vulnerable to XSS attacks.
(2.1) The code flaw occurs at "/index.cfm?" page, with "&pid" parameter.
References:
http://packetstormsecurity.com/files/129662/TennisConnect-9.927-Cross-Site-Scripting.html
http://tetraph.com/security/cves/cve-2014-8490
https://cxsecurity.com/issue/WLB-2014120151
http://cve.scap.org.cn/CVE-2014-8490.html
http://en.hackdig.com/?11701.htm
http://webtechhut.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html
http://seclists.org/fulldisclosure/2014/Dec/83
http://computerobsess.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html
http://diebiyi.com/articles/security/xss-vulnerability/cve-2014-8490
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01464.html
https://progressive-comp.com/?l=full-disclosure&m=141896694615302&w=1
http://whitehatpost.blog.163.com/blog/static/2422320542015110102316210/#
http://tetraph.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1352
No comments:
Post a Comment