HP OpenCall Media Platform Multiple Cross Site Scripting and Remote File Include Vulnerabilities



HP OpenCall Media Platform is prone to multiple cross-site scripting vulnerabilities and a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or of the webserver process. This may allow the attacker to steal cookie-based authentication credentials or obtain potentially sensitive information; other attacks are also possible.

HP OpenCall Media Platform 3.x versions prior to 3.4.2 RP201 and 4.x versions prior to 4.4.7 RP702 are vulnerable.

Information

Bugtraq ID: 98013
Class: Input Validation Error
CVE: CVE-2017-5799
CVE-2017-5798

Remote: Yes
Local: No
Published: Mar 20 2017 12:00AM
Updated: Mar 20 2017 12:00AM
Credit: Maor Shwartz
Vulnerable: HP OpenCall Media Platform 4.4.4
HP OpenCall Media Platform 4.4.3
HP OpenCall Media Platform 4.4
HP OpenCall Media Platform 4.3.4
HP OpenCall Media Platform 4.3.3
HP OpenCall Media Platform 4.3
HP OpenCall Media Platform 4.2
HP OpenCall Media Platform 4.0
HP OpenCall Media Platform 3.4.2
HP OpenCall Media Platform 3.4.1
HP OpenCall Media Platform 3.4
HP OpenCall Media Platform 3.3
HP OpenCall Media Platform 3.2
HP OpenCall Media Platform 3.0


Not Vulnerable: HP OpenCall Media Platform 4.4.7 RP702
HP OpenCall Media Platform 3.4.2 RP201


Exploit


An attacker can exploit these issues via a browser. To exploit the cross-site scripting issues, the attacker must entice an unsuspecting victim into following a malicious URI.

The researcher has created a proof-of-concept to demonstrate these issues. Please see the references for more information.


Source: www.securityfocus.com
Related Posts