← Advisories

NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability

Medium

Advisory ID

ZSL-2014-5167

Release Date

29 January 2014

Vendor

NCH Software - http://www.nchsoftware.com

Affected Version

3.45

CVE

N/A

Tested On

Microsoft Windows 7 Professional SP1 (EN)

Summary

Inventoria is a business inventory management and stock control software that allows you to manage and monitor your inventory to help streamline your operations and boost profits.

Description

The application suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the 'id' GET parameter in the 'locdelete' (JSP) script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

inventoria_xss.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://cxsecurity.com/issue/WLB-2014010205

[2]http://packetstormsecurity.com/files/124987

[3]http://secunia.com/advisories/56681/

[4]http://www.securityfocus.com/bid/65250

[5]http://osvdb.org/show/osvdb/102686

Changelog

29.01.2014Initial release

30.01.2014Added reference [2]

31.01.2014Added reference [3], [4] and [5]