CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability-行者路上有風有雨有彩虹

白帽子安全文章:

CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability

Exploit Title: Atlas Systems Aeon XSS Vulnerability

Product: Aeon

Vendor: Atlas Systems

Vulnerable Versions: 3.6 3.5

Tested Version: 3.6

Advisory Publication: Nov 12, 2014

Latest Update: Nov 12, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7290

Solution Status: Fixed by Vendor

Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]

Advisory Details:

(1) Aeon

Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians.

Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics.

(2) However, it is vulnerable to XSS Attacks.

(2.1) The first vulnerability occurs at “aeon.dll?” page, with “&Action” parameter.

(2.2) The second vulnerability occurs at “aeon.dll?” page, with “&Form” parameter.

Solutions:

2014-09-01: Report vulnerability to Vendor

2014-10-05: Vendor replied with thanks and vendor will change the source code

References:

https://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/

https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7290

https://www.securityfocus.com/bid/71185

https://www.osvdb.org/show/osvdb/114655

https://exploitarchive.com/atlas-systems-aeon-3-5-3-6-cross-site-scripting/

https://www.scap.org.cn/CVE-2014-7290.html

热度(18) 转载自：谷雨醉心冬小麦来源于：白帽子

行者路上有風有雨有彩虹

CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability

评论

热度(18)