PT-2019-11272 · Opt/Net Bv · Ng-Netms

Published

2019-02-04

Updated

2019-02-06

CVE-2019-1000024

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: OPT/NET BV NG-NetMS versions v3.6-2 and earlier

Description: The issue concerns a Cross Site Scripting (XSS) vulnerability. It affects the /js/libs/jstree/demo/filebrowser/index.php page, where the id and operation GET parameters can be used to inject arbitrary JavaScript. This can result in Cross-site scripting. The attack is exploitable via network connectivity.

Recommendations: For OPT/NET BV NG-NetMS versions v3.6-2 and earlier, consider disabling access to the /js/libs/jstree/demo/filebrowser/index.php page until a fix is available. Restrict the use of the id and operation parameters in this page to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-1000024

Affected Products

Ng-Netms

PT-2019-11272 · Opt/Net Bv · Ng-Netms

CVE-2019-1000024

Weakness Enumeration

Related Identifiers

Affected Products

References · 6