Last active
June 1, 2018 15:14
-
-
Save barrett092/c70752ca6960b8b9616a03006f291a28 to your computer and use it in GitHub Desktop.
EMS Master Calendar Reflected XSS Vulnerability (<8.0.0.20180520)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters are not properly sanitized, allowing malicious attackers to send a crafted URL and execute code in the context of the user's browser. | |
| ------------------------------------------ | |
| Additional Information: | |
| CVE-Reference: CVE-2018-11628 | |
| Product: EMS Master Calendar | |
| Vendor: EMS Software | |
| Vulnerable Version: Before 8.0.0.20180521 | |
| Vulnerability Type: Reflective Cross Site Scripting (XSS) | |
| Attack Type: Remote | |
| Attack Vector: Injection into vulnerable URL parameter | |
| Vendor Acknowledged: True | |
| Vendor Notification Timeline: | |
| 1. 5/8/2018: Contacted EMS Software to report vulnerability. | |
| 2. 5/14/2018: EMS Software responded with acknowledgement of vulnerability and information regarding the patched software version number. | |
| 3. 5/31/2018: Submitted to MITRE for CVE assignment | |
| Mitigation: EMS Software responded that they have patched the product and advise updating it to a version after 8.0.0.201805210 to remediate the XSS vulnerability in the Master Calendar component. | |
| Discovered and Provided: | |
| - Chris Barretto of OCD Tech | |
| - cbarretto[at]ocd-tech.com | |
| - @TheOCDTech | |
| Additional References: | |
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11628 | |
| https://docs.emssoftware.com/Content/V44.1_ReleaseNotes.htm | |
| https://ocd-tech.com/blog/ | |
| https://twitter.com/TheOCDTech |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment