NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability

Title: NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2014-5167
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.01.2014
Summary
Inventoria is a business inventory management and stock control software that allows you to manage and monitor your inventory to help streamline your operations and boost profits.
Description
The application suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the 'id' GET parameter in the 'locdelete' (JSP) script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
NCH Software - http://www.nchsoftware.com
Affected Version
3.45
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
N/A
PoC
inventoria_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2014010205
[2] http://packetstormsecurity.com/files/124987
[3] http://secunia.com/advisories/56681/
[4] http://www.securityfocus.com/bid/65250
[5] http://osvdb.org/show/osvdb/102686
Changelog
[29.01.2014] - Initial release
[30.01.2014] - Added reference [2]
[31.01.2014] - Added reference [3], [4] and [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk