CVE-2014-8557 - JExperts Tecnologia / Channel Software Cross Site Scripting
Issues
Vendor Notified: 2014-10-27
INTRODUCTION:
The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company
JExperts Technology and present at thousands clients private enterprise and
government enterprise. This software consists of an integrated set of
solutions in the areas of strategy, projects and processes.
This problem was confirmed in the following versions of the Channel, other
versions maybe also affected.
Version: 5.0.33_CCB
DETAILS:
The Channel software is affected by Multiple Stored Cross Site Scripting.
The variable "usuario.nome" in page
".../channel/usuario.do?
"Ferramentas" and submenu "alterar dados pessoais", and the variable
"titulo.form" in page "...channel/ticket.do?action=
in menu "[incluir solicitação...]" do not sanitize input data, allowing
attacker to store malicious javascript code in a page.
CREDITS:
This vulnerability was discovered and researched by Luciano Pedreira
(a.k.a. shark)
Issues
Vendor Notified: 2014-10-27
INTRODUCTION:
The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company
JExperts Technology and present at thousands clients private enterprise and
government enterprise. This software consists of an integrated set of
solutions in the areas of strategy, projects and processes.
This problem was confirmed in the following versions of the Channel, other
versions maybe also affected.
Version: 5.0.33_CCB
DETAILS:
The Channel software is affected by Multiple Stored Cross Site Scripting.
The variable "usuario.nome" in page
".../channel/usuario.do?
"Ferramentas" and submenu "alterar dados pessoais", and the variable
"titulo.form" in page "...channel/ticket.do?action=
in menu "[incluir solicitação...]" do not sanitize input data, allowing
attacker to store malicious javascript code in a page.
CREDITS:
This vulnerability was discovered and researched by Luciano Pedreira
(a.k.a. shark)