Cross-Site Scripting (XSS) in Offiria
|Vendor:||Slashes & Dots Sdn Bhd.|
|Vulnerable Versions:||2.1.0 and probably prior|
|Advisory Publication:||April 2, 2014 [without technical details]|
|Vendor Notification:||April 2, 2014|
|Public Disclosure:||May 7, 2014|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
|CVSSv2 Base Score:||4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)|
|Solution Status:||Solution Available|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in Offiria, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.
|Currently we are not aware of any official solution for this vulnerability. The vendor did not respond to:|
- 6 notifications by email
- 1 notification via twitter
- 1 notification via GitHub
As a temporary solution it is recommended to remove the vulnerable script or restrict access to it via .htaccess file or WAF.
| High-Tech Bridge Advisory HTB23210 - https://www.htbridge.com/advisory/HTB23210 - Cross-Site Scripting (XSS) in Offiria.|
 Offiria - https://offiria.com - Offiria is a private, secure Enterprise Social Network for your organization.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.