OcPortal Arbitrary File Disclosure And Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

ocPortal is prone to multiple cross-site scripting vulnerabilities and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information. ocPortal versions prior to 7.1.6 are vulnerable.

Solution

Updates are available. Please see the references for details.

References

http://ocportal.com/site/news/view/new-releases/ocportal-7-1-6-released.htm?filter=1%2C2%2C3%2C29%2C30
http://ocportal.com/site/news/view/ocportal-security-update.htm
http://ocportal.com/start.htm
http://www.securityfocus.com/bid/52768
https://www.htbridge.com/advisory/HTB23078

Updated on 2015-03-25

Severity

Classification

CVE CVE-2012-1470, CVE-2012-1471

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

An Image Gallery Multiple Cross-Site Scripting Vulnerability
/cgi-bin directory browsable ?
Apache Subversion Module Metadata Accessible
Afian 'includer.php' Directory Traversal Vulnerability
Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability

ocPortal Arbitrary File Disclosure and Cross Site Scripting Vulnerabilities

Take action and discover your vulnerabilities