Altitude uAgent - Altitude uCI version 7.5 suffers from a cross site scripting vulnerability.
56485ff6ab476cd20d7405c5429f14391c5f57fbaf9bc14536a89d6aa0ab388bAltitude uAgent - Altitude uCI 7.5 Persistent XSS
Details
========================================================================================
Product: Altitude uAgent - Altitude uCI 7.5
Security-Risk: High
Vendor-URL: http://www.altitude.com
CVE-ID:CVE-2014-9212
Credits
========================================================================================
Discovered by: Owais Mehtab
Affected Products:
========================================================================================
Altitude uAgent Web
Description
========================================================================================
" Altitude uAgent - Altitude uCI 7.5 Persistent XSS "
More Details
========================================================================================
I found two persistent Cross site scripting (XSS) in Altitude uAgent - Altitude uCI 7.5,
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user. These XSS can only be exploited by authenticated users
Proof of Concept
========================================================================================
1-XSS In Hyperlink
------------------
In send email option click on insert hyperlink and insert vector:-
"><img src=x onerror=prompt(document.cookie);>
2-Email XSS
-----------
Another XSS was found in image attribute section, vulnerable parameter (style)
POC attack vector:-
x:expression(alert(1))
I have informed the vendor but they don't tend to fix the problem.
--
Regards,
Owais Mehtab
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed