Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 )

From: Stas Volfus <stasvolfus () gmail com>
Date: Thu, 11 Jun 2015 12:38:14 +0300
Advisory:               Adobe Connect Reflected XSS
Author:                 Stas Volfus (Bugsec Information Security LTD)
Vendor URL:             http://www.adobe.com/
Status:                 Vendor Notified


==========================
Vulnerability Description
==========================

Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS
(Cross Site Scripting).

The attack allows execution of arbitrary JavaScript in the context of
the user’s browser.

CVE id: CVE-2015-0343  assigned  for this issue.



==========================
        PoC
==========================
The following URL demonstrates the vulnerability:
https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=<a
href="javascript:alert('XSS')">XSS Link</a>



==========================
Disclosure Timeline
==========================

04-NOV-2014 - Vendor notified

01-DEC-2014 - CVE assigned

27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4.


==========================
References
==========================http://www.adobe.com/il_en/products/adobeconnect.html
https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: