Monday, January 23, 2012

CVE-2012-0285 and CVE-2012-0286 - WebNetwork6





Stoneware WebNetwork6 Vulnerability Assessment (Follow link below)



# Exploit Title: Stoneware WebNetwork6 CSRF and Persistent XSS
# Date: Discovered and reported 11/2011
# Author: Jacob Holcomb/Gimppy042
# Software Link: Stoneware INC, WebNetwork6 (www.stone-ware.com)
# Version: Any/All versions are vulnerable prior to 6.8.0 (Service Pack 8 install)
# CVE :  CVE-2012-0285 for all of the XSS issues, and CVE-2012-0286 for the CSRF


Additional e-mail advisory sent by Stoneware

Stoneware has released webNetwork 6.0 Service Pack 8.  The main purpose of this release is to address recently discovered security vulnerabilities within the webNetwork product.  The vulnerabilities could allow for unintended information disclosure and breach of user accounts.

The impact of exploitation of these vulnerabilities depend on the sensitivity of the content contained within webNetwork.  Since the these vulnerabilities can allow arbitrary execution of supplied JavaScript, which could be used to exploit vulnerabilities within a web browser, such as malicious code execution.

For detailed information please refer to our knowledge base article:
http://www2.lanschool.com/e/2262/wql-jsp-kb-d1960/tqcsz/471431929

Service Pack 8 is available to all Stoneware customers by selecting the webNetwork 6 SP tab from:
http://www2.lanschool.com/e/2262/ite-downloads-index-html/tqctb/471431929

www.stone-ware.com

Stoneware, Inc
11555 North Meridian St., Ste 150
Carmel, IN 46033




Additional Exploit Postings:

http://www.exploit-db.com/exploits/18416/ 

No comments:

Post a Comment