XpoLog Center V6 Multiple Remote Vulnerabilities

Title: XpoLog Center V6 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2016-5334
Type: Local/Remote
Impact: Cross-Site Scripting, Spoofing
Risk: (4/5)
Release Date: 01.07.2016
Summary
Applications Log Analysis and Management Platform.
Description
XpoLog suffers from multiple vulnerabilities including XSS, Open Redirection and Cross-Site Request Forgery.
Vendor
XpoLog LTD - http://www.xpolog.com
Affected Version
6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Tested On
Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vendor Status
[14.06.2016] Vulnerability discovered.
[21.06.2016] Contact with the vendor.
[30.06.2016] No response from the vendor.
[01.07.2016] Public security advisory released.
PoC
xpolog_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
[2] https://cxsecurity.com/issue/WLB-2016070007
[3] https://packetstormsecurity.com/files/137748
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/114727
Changelog
[01.07.2016] - Initial release
[02.07.2016] - Added reference [2]
[06.07.2016] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk