HackDig : Dig high-quality web security articles for hacker

CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

2014-12-19 11:35
*CVE-2014-8490  TennisConnect COMPONENTS System XSS (Cross-Site Scripting)
Security Vulnerability*

Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm
pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor: TennisConnect
Vulnerable Versions: 9.927
Tested Version: 9.927
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]

*Advisory Details:*

*(1) Vendor URL:*

*Product Description:*
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League & Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited
sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain
name .com)

*(2) Vulnerability Details:*

TennisConnect COMPONENTS System is vulnerable to XSS attacks.

*(2.1)* The vulnerability occurs at "/index.cfm?" page, with "&pid"



Wang Jing

School of Physical and Mathematical Sciences

Nanyang Technological University, Singapore

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Source: 38/ceD/4102/erusolcsidlluf/gro.stsilces

Read:3430 | Comments:0 | Tags: Xss Vulnerability

“CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud