Tuesday, 10 February 2015

CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-8490  TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability


Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor:    TennisConnect
Vulnerable Versions: 9.927
Tested Version:    9.927
Advisory Publication: Nov 18, 2014
Latest Update:    Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]







Advisory Details:

(1) Vendor URL:
http://www.tennisconnect.com/products.cfm#Components

Product Description:
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain name .com)



(2) Vulnerability Details.
TennisConnect COMPONENTS System has a security problem. It is vulnerable to XSS attacks.
(2.1) The vulnerability occurs at "/index.cfm?" page, with "&pid" parameter.








References:

http://packetstormsecurity.com/files/129662/TennisConnect-9.927-Cross-Site-Scripting.html
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8490
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490
http://www.osvdb.org/show/osvdb/116149
http://cve.scap.org.cn/CVE-2014-8490.html
http://en.hackdig.com/?11701.htm
http://itsecurity.lofter.com/
http://seclists.org/fulldisclosure/2014/Dec/83
http://securitypost.tumblr.com/
http://computerobsess.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
http://whitehatpost.blog.163.com/blog/static/2422320542015110102316210/#
http://tetraph.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1352





No comments:

Post a Comment