Adiscon LogAnalyzer 4.1.6 Cross Site Scripting

`Title: Cross-Site Scripting in Adiscon LogAnalyzer (CVE-2018-19877)  
Credit: Gustavo Sorondo / http://www.cintainfinita.com  
Vendor/Product: Adiscon LogAnalyzer (https://loganalyzer.adiscon.com/  
https://github.com/rsyslog/loganalyzer)  
Vulnerability: Cross-Site Scripting (XSS)  
Vulnerable version: 4.1.6 and earlier  
Fixed in: 4.1.7  
CVE: CVE-2018-19877  
  
## Vulnerability Details  
  
Adiscon LogAnalyzer before 4.1.7 is affected by Cross-Site Scripting (XSS)  
in the 'referer' parameter of the login.php file.  
  
Proof of Concept:  
http://my.loganalyzer.instance/login.php?referer=%22%3E%3Cscript%3Ealert('Cinta%20Infinita')%3C/script%3E  
  
## Vulnerability Disclosure Timeline  
  
2018-11-26 - Vulnerability discovered by Cinta Infinita  
2018-11-28 - Vulnerability reported to Adiscon  
2018-12-04 - Vulnerability confirmed by Adiscon  
2018-12-05 - Issue is fixed and version 4.1.7 is released.  
2018-12-05 - CVE-2018-19877 is assigned  
2018-12-05 - Full disclosure  
  
## Related fixes and releases  
  
https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/  
https://github.com/rsyslog/loganalyzer/commit/367b50aa1a5a3eaefacd5fa9be397e6b6480168e#diff-fd4f9de25c2c01b55759936a6cc4b029  
  
## About Cinta Infinita  
  
Cinta Infinita offers Information Security related services. Our  
Headquarters are in Buenos Aires, Argentina.  
For more information, visit http://cintainfinita.com  
  
--  
Ing. Gustavo M. Sorondo  
Cinta Infinita - CTO  
Web: http://cintainfinita.com  
LinkedIn: https://www.linkedin.com/in/gustavosorondo  
GPG: http://www.cintainfinita.com/gpg/gs-pkey.txt  
  
  
`