Web News, Technology, Science, etc
网络技术是从1990年代中期发展起来的新技术,它把互联网上分散的资源融为有机整体,实现资源的全面共享和有机协作,使人们能够透明地使用资源的整体能力并按需获取信息。
CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability
CVE-2014-7290 Atlas Systems Aeon XSS Vulnerability
Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]
Advisory Details:
(1) Aeon
Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians.
Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics.
(2) However, it is vulnerable to XSS Attacks.
(2.1) The first vulnerability occurs at “aeon.dll?” page, with “&Action” parameter.
(2.2) The second vulnerability occurs at “aeon.dll?” page, with “&Form” parameter.
Solutions:
2014-09-01: Report vulnerability to Vendor
2014-10-05: Vendor replied with thanks and vendor will change the source code
References:
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7290
https://www.securityfocus.com/bid/71185
https://www.osvdb.org/show/osvdb/114655
https://exploitarchive.com/atlas-systems-aeon-3-5-3-6-cross-site-scripting/
https://www.scap.org.cn/CVE-2014-7290.html
评论