Megapolis.Portal Manager Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Megapolis.Portal Manager and is prone to multipl xss vulnerabilities.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in the context of an affected site. Impact Level: Application

Solution

No solution or patch is available as of 9th February, 2015. Information regarding this issue will updated once the solution details are available. For updates refer to http://www.softline.kiev.ua/en

Insight

Flaw is due to /control/uk/publish/category script does not validate input to the 'dateFrom' and 'dateTo' parameters before returning it to users.

Affected

Megapolis.Portal Manager

Detection

Send a crafted request via HTTP GET and check whether it is able to read cookie or not.

References

http://packetstormsecurity.com/files/128725
http://seclists.org/fulldisclosure/2014/Oct/77
http://www.osvdb.com/113506
http://xforce.iss.net/xforce/xfdb/97649

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-8381

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Annuaire PHP 'sites_inscription.php' Cross Site Scripting Vulnerability
Allaire JRun directory browsing vulnerability
Adobe ColdFusion HTTP Response Splitting Vulnerability
Apache ActiveMQ Persistent Cross-Site Scripting Vulnerability
Apache Open For Business HTML injection vulnerability

Take action and discover your vulnerabilities