Flexense DupScout 10.7 Cross Site Scripting

Flexense DupScout versions 10.0.18 through 10.7 suffer from a cross site scripting vulnerability.

MD5 | 529777f139491d4efacfd5e6f5bc5387

URL: localhost/
Affected Component: */?n0ipr0cs<script>alert('XSS')</script>n0ipr0cs=1*

*Vulnerability Type:*
Cross Site Scripting https://cwe.mitre.org/data/definitions/79.html

*Vendor of Product: *
Flexense DupScout

*Version: *
from v10.0.18 to v10.7.

*Attack Type: *

*Impact: *
This attack allows an attacker code execution. The vulnerability affects
the confidentiality of personal data, possible theft of confidential
information, for example credentials of session, cookie information,
personal information, or a possible loss of control of the PC.

DupScout is a duplicate files finder allowing one to search and cleanup
duplicate files in local disks, network shares, NAS storage devices and
enterprise storage systems. Users are provided with the ability to search
duplicate files, save reports, replace duplicates with links, delete
duplicate files or move duplicate files to another location.

This vulnerability have been discovered by
Francisco Javier Santiago VA!zquez aka "n0ipr0cs"

*Disclosure Timeline:*
April 07, 2018: Vulnerability acquired by Francisco Javier Santiago
VA!zquez. aka "n0ipr0cs".
April 07, 2018: Responsible disclosure to Flexense Security Team.
April 18, 2018: Second Message Responsible disclosure to Flexense Security
April 25, 2018: The vulnerability has been fixed.The new product version
(v10.8) fixes a number of bugs and security vulnerabilities, this include
April 30, 2018: Disclosure of vulnerability.

*Link:* http://blog.n0ipr0cs.io/post/2018/04/29/XSS-Flexense-D

F. Javier Santiago VA!zquez

Related Posts