Flexense DiskSorter 10.7 Cross Site Scripting

Flexense DiskSorter versions 9.5.12 through 10.7 suffer from a cross site scripting vulnerability.

MD5 | d4fb1c2f7b38a25520bc865e565ac75d

URL: localhost/
Affected Component: */?n0ipr0cs<script>alert('XSS')</script>n0ipr0cs=1*

*Vulnerability Type:*
Cross Site Scripting https://cwe.mitre.org/data/definitions/79.html

*Vendor of Product: *
Flexense DiskSorter

*Version: *
from v9.5.12 to v10.7.

*Attack Type: *

*Impact: *
This attack allows an attacker code execution. The vulnerability affects
the confidentiality of personal data, possible theft of confidential
information, for example credentials of session, cookie information,
personal information, or a possible loss of control of the PC.

DiskSorter is a file classification solution allowing one to classify files
in local disks, network shares, NAS devices and enterprise storage systems.
Users are provided with the ability to gain an in-depth visibility into
which types of files are using most of the disk space, save reports and
perform file management operations on categories of files.

This vulnerability have been discovered by
Francisco Javier Santiago VA!zquez aka "n0ipr0cs"

*Disclosure Timeline:*
April 07, 2018: Vulnerability acquired by Francisco Javier Santiago
VA!zquez. aka "n0ipr0cs".
April 07, 2018: Responsible disclosure to Flexense Security Team.
April 18, 2018: Second Message Responsible disclosure to Flexense Security
April 24, 2018: The vulnerability has been fixed.The new product version
(v10.8) fixes a number of bugs and security vulnerabilities, this include
April 30, 2018: Disclosure of vulnerability.

*Link:* http://blog.n0ipr0cs.io/post/2018/04/29/XSS-Flexense-D

F. Javier Santiago VA!zquez

Related Posts