actiTIME 2015.2 Multiple Vulnerabilities

Title: actiTIME 2015.2 Multiple Vulnerabilities
Advisory ID: ZSL-2015-5273
Type: Local/Remote
Impact: Spoofing, Cross-Site Scripting, Privilege Escalation
Risk: (3/5)
Release Date: 31.10.2015
Summary
actiTIME is a web timesheet software. It allows you to enter time spent on different work assignments, register time offs and sick leaves, and then create detailed reports covering almost any management or accounting needs.
Description
The application suffers from multiple security vulnerabilities including: Open Redirection, HTTP Response Splitting and Unquoted Service Path Elevation Of Privilege.
Vendor
Actimind, Inc. - http://www.actitime.com
Affected Version
2015.2 (Small Team Edition)
Tested On
OS/Platform: Windows 7 6.1 for x86
Servlet Container: Jetty/5.1.4
Servlet API Version: 2.4
Java: 1.7.0_76-b13
Database: MySQL 5.1.72-community-log
Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13
Patch level: 28.0
Vendor Status
[13.10.2015] Vulnerabilities discovered.
[19.10.2015] Vendor contacted.
[30.10.2015] No response from the vendor.
[31.10.2015] Public security advisory released.
PoC
actitime_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/38602/
[2] https://cxsecurity.com/issue/WLB-2015110005
[3] https://packetstormsecurity.com/files/134179
[4] http://www.securityfocus.com/bid/77403
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/107765
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/107766
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/107767
Changelog
[31.10.2015] - Initial release
[03.11.2015] - Added reference [1], [2] and [3]
[08.11.2015] - Added reference [4]
[14.11.2015] - Added reference [5], [6] and [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk