Posts

Showing posts from January, 2020

Cross-Site Scripting vulnerability in Jama Connect 8.44.0

Image
Cross-Site Scripting vulnerability in Jama Connect 8.44.0 What is it? - Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Which feature is affected? "Import"-> "Data import wizard"(Select Import File and Destination) tab. The severity of this issue:- - An attacker can redirect a user to a malicious website or can steal the session token. An attacker can also perform phishing attacks using malicious JavaScripts. Did I notify Jama Security team about this vulnerability? Yes, I Informed Jama Security team, the issue is addressed in the latest build version 8.46 Release notes: https://community.jamasoftware.com/blogs/chloe/2020/01/16/jama-connect-846-cloud-release-notes Suggest
Image
Cross-Site Scripting vulnerability in app4.cloud.appspace.com cloud software What is it? - Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Which URL is affected? - https://app4.cloud.appspace.com/console/#!/ext/library The severity of this issue? - An attacker can redirect a user to a malicious website or can steal session token(no 'http only' flag was set☺). In this application, an attacker can create a temporary page 'webpage.html' and using this link he can spread malicious JavaScript code. The victim will observe the domain name-app4.cloud.appspace.com, which is a genuine site and clicks the malicious link. This link can be used to spread malicious javascript or can be used for Phishing.