Zero Science Lab » XpoLog Center V6 Multiple Remote Vulnerabilities

XpoLog Center V6 Multiple Remote Vulnerabilities

Title: XpoLog Center V6 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2016-5334
Type: Local/Remote
Impact: Cross-Site Scripting, Spoofing
Risk: (4/5)
Release Date: 01.07.2016

Summary

Applications Log Analysis and Management Platform.

Description

XpoLog suffers from multiple vulnerabilities including XSS, Open Redirection and Cross-Site Request Forgery.

Vendor

XpoLog LTD - http://www.xpolog.com

Affected Version

6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018

Tested On

Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91

Vendor Status

[14.06.2016] Vulnerability discovered.
[21.06.2016] Contact with the vendor.
[30.06.2016] No response from the vendor.
[01.07.2016] Public security advisory released.

PoC

xpolog_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
[2] https://cxsecurity.com/issue/WLB-2016070007
[3] https://packetstormsecurity.com/files/137748
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/114727

Changelog

[01.07.2016] - Initial release
[02.07.2016] - Added reference [2]
[06.07.2016] - Added reference [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk