Full Disclosure mailing list archives
XSS on Panasonic site
From: "Roberto Garcia Amoriz" <roberto.garcia () rogaramo com>
Date: Fri, 20 Jun 2014 15:04:02 +0200
- XSS on Panasonic site- **************************************************************************** *************************************** Advisory: security.panasonic.com Cross-Site Script Vulnerability (XSS) Advisory ID: 969061 Author: Roberto Garcia (@1gbDeInfo) Affected Software: Successfully tested on security.panasonic.com Vendor URL: http://security.panasonic.com Vendor Status: reported 2 times but not solved **************************************************************************** *************************************** ************************** Vulnerability Description ************************** The website " security.panasonic.com " is prone to a XSS vulnerability. This vulnerability involves the ability to inject arbitrary and unauthorized javascript code. A malicious script inserted into a page in this manner can hijack the users session, submit unauthorized transactions as the user, steal confidential information, or simply deface the page. ************************** PoC-Exploit ************************** http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1 http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8 ************************** Solution ************************** Reported 2 times but not solved ************************** Disclosure Timeline ************************** - Report vuln Jun 4, 2014 via email to samuel.garcia () ext eu panasonic com - Reported again via web Jun 12, 2014. They answer me: Dear Mr. Garcia, Thank you for your prompt e-mail reply. egarding your enquiry, I am writing to confirm having forwarded your message to the corresponding department. Kind Regards, Teo Customer Service Team Panasonic UK ************************** Afected sites: - vftr.panasonic.co.jp - security.panasonic.com - panasonic.ney ************************** ************************** Credits ************************** ---------------------------------------------------------------------------- -------------- Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo) ---------------------------------------------------------------------------- -------------- Best regards. Roberto Garcia Amoriz Linkedin: es.linkedin.com/in/rogaramo/ Web: http://www.1gbdeinformacion.com Twitter: @1gbdeinfo _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- XSS on Panasonic site Roberto Garcia Amoriz (Jun 20)
- Re: XSS on Panasonic site Adrien Jolibert (Jun 21)