← Advisories

Spiceworks 6.0.00993 Multiple Script Injection Vulnerabilities

Medium

Advisory ID

ZSL-2012-5107

Release Date

17 September 2012

Vendor

Spiceworks Inc. - http://www.spiceworks.com

Affected Version

6.0.00993 and 6.0.00966

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.2.19, Ruby 1.9.1, SQLite 3.7.5

Summary

The Spiceworks IT Desktop delivers nearly everything you need to simplify your IT job. Available in a variety of languages, Spiceworks' single, easy-to-use interface combines Network Inventory, Help Desk, Mapping, Reporting, Monitoring and Troubleshooting. And, it connects you with other IT pros to share ideas, solve problems and decide what additional features you need in Spiceworks.

Description

Spiceworks suffers from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

spiceworks_xss.txtTXT

spiceworks_xss.htmlHTML

Disclosure Timeline

26.08.2012Vulnerabilities discovered.

29.08.2012Contact with the vendor.

29.08.2012Vendor responds asking more details.

29.08.2012Sent detailed information to the vendor.

29.08.2012Vendor confirms receiving files.

03.09.2012Asked vendor for confirmation.

04.09.2012Vendor awaits status from submited ticket to development team.

11.09.2012Asked vendor for status update.