← Advisories

XpoLog Center V6 Multiple Remote Vulnerabilities

High
Advisory ID
ZSL-2016-5334
Release Date
01 July 2016
Vendor
XpoLog LTD - http://www.xpolog.com
Affected Version
6.4469, 6.4254, 6.4252, 6.4250, 6.4237, 6.4235, 5.4018
CVE
N/A
Tested On
Apache-Coyote/1.1, Microsoft Windows Server 2012, Microsoft Windows 7 Professional SP1 EN 64bit, Java/1.7.0_45, Java/1.8.0.91
Summary

Applications Log Analysis and Management Platform.

Description

XpoLog suffers from multiple vulnerabilities including XSS, Open Redirection and Cross-Site Request Forgery.

Proof of Concept
xpolog_mv.txtTXT
Disclosure Timeline
14.06.2016Vulnerability discovered.
21.06.2016Contact with the vendor.
30.06.2016No response from the vendor.
01.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2016-5335
[2]https://cxsecurity.com/issue/WLB-2016070007
[3]https://packetstormsecurity.com/files/137748
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/114727
Changelog
01.07.2016Initial release
02.07.2016Added reference [2]
06.07.2016Added reference [3] and [4]