******************************
******************************
Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS)
Advisory ID: 969061
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on security.panasonic.com Vendor
URL: http://security.panasonic.com
Vendor Status: reported 2 times but not solved
******************************
******************************
**************************
Vulnerability Description
**************************
The website " security.panasonic.com " is prone to a XSS vulnerability.
This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.
**************************
PoC-Exploit
**************************
http://vftr.panasonic.co.jp/
lert%280%29%3C%2Fscript%3E&x=
http://vftr.panasonic.co.jp/
lert%28document.cookie%29%3C%
**************************
Solution
**************************
Reported 2 times but not solved
**************************
Disclosure Timeline
**************************
- Report vuln Jun 4, 2014 via email to samuel.garcia@ext.eu.
- Reported again via web Jun 12, 2014. They answer me:
Dear Mr. Garcia,
Thank you for your prompt e-mail reply.
egarding your enquiry, I am writing to confirm having forwarded your
message to the corresponding department.
Kind Regards,
Teo
Customer Service Team
Panasonic UK
**************************
Afected sites:
- vftr.panasonic.co.jp
- security.panasonic.com
- panasonic.ney
**************************
**************************
Credits
**************************
------------------------------
--------------
Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)
------------------------------
--------------
Best regards.
Roberto Garcia Amoriz
Linkedin: es.linkedin.com/in/rogaramo/
Web: http://www.1gbdeinformacion.
Twitter: @1gbdeinfo