SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

Vulnerabilities Summary
The following advisory describes a Cross-Site Scripting (XSS) vulnerability found in WebSphere Portal version 8.0.0.1.

IBM WebSphere Portal products provide enterprise web portals that help companies deliver a highly-personalized, social experience for their customers. WebSphere Portal products give users a single point of access to the applications, services, information and social connections they need. These products help increase visitor response and reduce web operations cost while offering a range of capabilities to meet your business needs.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We notified IBM of the vulnerability back in September 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for this vulnerability went unanswered. At this time there is no solution or workaround for this vulnerability.

Continue reading SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities in Icewarp, AfterLogic and MailEnable Webmails.

The three vulnerabilities found are:

  1. Afterlogic Webmail code injection
  2. Icewarp Webmail code injection
  3. MailEnable Webmail code injection

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Responses
AfterLogic
AfterLogic has released patch to address the vulnerability – we have no information on which version addresses this, we believe the latest version of AfterLogic includes patches for the vulnerability.

IceWarp
IceWarp has released patch to address the vulnerability – version 11.4.0.

MailEnable
We notified MailEnable of the vulnerabilities back in November 2015, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.

Continue reading SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection

SSD Advisory – Polycom Video Conference Persistent and Unauthenticated XSS

Vulnerability Description
A persistent, pre-authenticated, cross site scripting vulnerability in Polycom HDX Web interface allows remote attackers to take over the camera and control it.
Continue reading SSD Advisory – Polycom Video Conference Persistent and Unauthenticated XSS