白帽子安全

白帽子文章
计算机安全
安全漏洞
网络攻击

© 白帽子安全 | Powered by LOFTER

CVE-2014-8490 TennisConnect COMPONENTS System XSS

CVE-2014-8490  TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability




Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor:    TennisConnect
Vulnerable Versions: 9.927
Tested Version:    9.927
Advisory Publication: Nov 18, 2014
Latest Update:    Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]




Advisory Details:

(1) Vendor URL:
http://www.tennisconnect.com/products.cfm#Components

Product Description:
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain name .com)





(2) Vulnerability Details.

TennisConnect COMPONENTS System is vulnerable to XSS attacks.

(2.1) The vulnerability occurs at "/index.cfm?" page, with "&pid" parameter.





References:

http://packetstormsecurity.com/files/129662/TennisConnect-9.927-Cross-Site-Scripting.html
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8490
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490
http://www.osvdb.org/show/osvdb/116114
http://cve.scap.org.cn/CVE-2014-8490.html
http://en.hackdig.com/?11701.htm
http://itsecurity.lofter.com/
http://seclists.org/fulldisclosure/2014/Dec/83
http://securitypost.tumblr.com/

评论