CVE-2014-4309

Multiple cross-site scripting (XSS) vulnerabilities in Openfiler 2.99 allow remote attackers to inject arbitrary web script or HTML via the (1) TinkerAjax parameter to uptime.html, or remote authenticated users to inject arbitrary web script or HTML via the (2) MaxInstances, (3) PassivePorts, (4) Port, (5) ServerName, (6) TimeoutLogin, (7) TimeoutNoTransfer, or (8) TimeoutStalled parameter to admin/services_ftp.html; the (9) dns1 or (10) dns2 parameter to admin/system.html; the (11) newTgtName parameter to admin/volumes_iscsi_targets.html; the User-Agent HTTP header to (12) language.html, (13) login.html, or (14) password.html in account/; or the User-Agent HTTP header to (15) account_groups.html, (16) account_users.html, (17) services.html, (18) services_ftp.html, (19) services_iscsi_target.html, (20) services_rsync.html, (21) system_clock.html, (22) system_info.html, (23) system_ups.html, (24) volumes_editpartitions.html, or (25) volumes_iscsi_targets.html in admin/.
Configurations

Configuration 1 (hide)

cpe:2.3:a:openfiler:openfiler:2.99:*:*:*:*:*:*:*

History

21 Nov 2024, 02:09

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/127044/Openfiler-NAS-SAN-Appliance-2.99-XSS-Traversal-Command-Injection.html - Exploit () http://packetstormsecurity.com/files/127044/Openfiler-NAS-SAN-Appliance-2.99-XSS-Traversal-Command-Injection.html - Exploit

Information

Published : 2014-06-18 14:55

Updated : 2024-11-21 02:09


NVD link : CVE-2014-4309

Mitre link : CVE-2014-4309

CVE.ORG link : CVE-2014-4309


JSON object : View

Products Affected

openfiler

  • openfiler
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')