High-Tech Bridge Security Research Lab discovered XSS vulnerability in SearchBlox, which can be exploited to perform Cross-Site Scripting attacks against the vulnerable web application administrators.
Input passed via the “menu2” HTTP GET parameter to “/searchblox/admin/main.jsp” script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and scripting code in his browser in context of the vulnerable website.
A simple XSS exploit below uses the “alert()” JS function to display a box with “ImmuniWeb” word:
http://[host]/searchblox/admin/main.jsp?menu1=adm&menu2=%22%3E%3Cscript%3Eal ert%28%27ImmuniWeb%27%29;%3C/script%3E
CPE | Name | Operator | Version |
---|---|---|---|
searchblox | le | 8.2 |