[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability
From: Jing Wang <justqdjing () gmail ! com>
Date: 2014-12-19 2:49:11
Message-ID: CAFWG0-gbB_3D=t7AjT2ZJu_CD=tk7S097KKp2tELKkCBTfskiw () mail ! gmail ! com
[Download RAW message or body]
*CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting)
Security Vulnerability*
Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm
pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor: TennisConnect
Vulnerable Versions: 9.927
Tested Version: 9.927
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]
*Advisory Details:*
*(1) Vendor URL:*
http://www.tennisconnect.com/products.cfm#Components
*Product Description:*
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited
sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain
name .com)
*(2) Vulnerability Details:*
TennisConnect COMPONENTS System is vulnerable to XSS attacks.
*(2.1)* The vulnerability occurs at "/index.cfm?" page, with "&pid"
parameter.
*References:*
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490
--
Wang Jing
School of Physical and Mathematical Sciences
Nanyang Technological University, Singapore
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic