0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Zenoss Monitoring System 4.2.5-2108 64bit - Stored XSS Vulnerability

Author

Dolev Farhi

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

# Exploit Title: Stored XSS vulnerability in Zenoss core open source monitoring system
# Date: 12/05/2014
# Exploit author: Dolev Farhi dolev(at)openflare.org
# Vendor homepage: http://zenoss.com
# Software Link: http://www.zenoss.com
# Version: Core 4.2.5-2108 64bit
# Tested on: Kali Linux
# Vendor alerted: 12/05/2014
# CVE-2014-3738
 
Software details:
 
==================
 
Zenoss (Zenoss Core) is a free and open-source application, server, and
network management platform based on the Zope application server.
 
Released under the GNU General Public License (GPL) version 2, Zenoss
Core provides a web interface that
 
allows system administrators to monitor availability,
inventory/configuration, performance, and events.
 
 
 
Vulnerability details:   Stored XSS Vulnerability
 
========================
 
A persistent XSS vulnerability was found in Zenoss core, by creating a
malicious host with the Title <script>alert("Xss")</script> any user
browsing
 
to the relevant manufacturers page will get a client-side script
executed immediately.
 
 
 
 
 
Proof of Concept:
1. Create a device with with the Title <script>alert("XSS")</script>
2. Navigate to the  Infrastructure -> Manufacturers page.
3. pick the name of the manufacturer of the device, e.g. Intel
4. select the type of the hardware the device is assigned to, e.g. GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz
5. the XSS Executes.
 
<tr class="even">
 
       <td class="tablevalues"><a href='/zport/dmd/Devices/Server/Linux/devices/localhost/devicedetail'><script>alert("Dolev")</script></a></td>
 
       <td class="tablevalues">GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz</td>
 
</tr>

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Zenoss Monitoring System 4.2.5-2108 64bit - Stored XSS Vulnerability

Report Error

Report Error