Multiple cross-site scripting (XSS) vulnerabilities in Openfiler 2.99 allow remote attackers to inject arbitrary web script or HTML via the (1) TinkerAjax parameter to uptime.html, or remote authenticated users to inject arbitrary web script or HTML via the (2) MaxInstances, (3) PassivePorts, (4) Port, (5) ServerName, (6) TimeoutLogin, (7) TimeoutNoTransfer, or (8) TimeoutStalled parameter to admin/services_ftp.html; the (9) dns1 or (10) dns2 parameter to admin/system.html; the (11) newTgtName parameter to admin/volumes_iscsi_targets.html; the User-Agent HTTP header to (12) language.html, (13) login.html, or (14) password.html in account/; or the User-Agent HTTP header to (15) account_groups.html, (16) account_users.html, (17) services.html, (18) services_ftp.html, (19) services_iscsi_target.html, (20) services_rsync.html, (21) system_clock.html, (22) system_info.html, (23) system_ups.html, (24) volumes_editpartitions.html, or (25) volumes_iscsi_targets.html in admin/.
References
Configurations
History
21 Nov 2024, 02:09
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/127044/Openfiler-NAS-SAN-Appliance-2.99-XSS-Traversal-Command-Injection.html - Exploit |
Information
Published : 2014-06-18 14:55
Updated : 2024-11-21 02:09
NVD link : CVE-2014-4309
Mitre link : CVE-2014-4309
CVE.ORG link : CVE-2014-4309
JSON object : View
Products Affected
openfiler
- openfiler
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')