NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability
Title: NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2014-5167
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.01.2014
[2] http://packetstormsecurity.com/files/124987
[3] http://secunia.com/advisories/56681/
[4] http://www.securityfocus.com/bid/65250
[5] http://osvdb.org/show/osvdb/102686
[30.01.2014] - Added reference [2]
[31.01.2014] - Added reference [3], [4] and [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5167
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.01.2014
Summary
Inventoria is a business inventory management and stock control software that allows you to manage and monitor your inventory to help streamline your operations and boost profits.Description
The application suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the 'id' GET parameter in the 'locdelete' (JSP) script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.Vendor
NCH Software - http://www.nchsoftware.comAffected Version
3.45Tested On
Microsoft Windows 7 Professional SP1 (EN)Vendor Status
N/APoC
inventoria_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://cxsecurity.com/issue/WLB-2014010205[2] http://packetstormsecurity.com/files/124987
[3] http://secunia.com/advisories/56681/
[4] http://www.securityfocus.com/bid/65250
[5] http://osvdb.org/show/osvdb/102686
Changelog
[29.01.2014] - Initial release[30.01.2014] - Added reference [2]
[31.01.2014] - Added reference [3], [4] and [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
