BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

osCMax Multiple Vulnerabilities

Disclosed December 9, 2013    Zeroday : 353 days

Vulnerability Description:

osCmax eCommerce contains a vulnerable version of SWFUpload allowing the attacker to execute arbitrary script code in the client’s browser. osCmax is also vulnerable to an information disclosure vulnerability that allows the attacker to gain the full installation path. Lastly, it does not properly restrict file upload capabilities, allowing an attacker to upload a file to the system.

Vendors:

osCMax

Vulnerable Software/Devices:

osCmax eCommerce v2.5.3

Vulnerability Severity:

Medium

Exploit Availability:

Publicly Available

Exploit Impact:

Cross-Site Scripting
Exploitation of this vulnerability is possible via maliciously crafted URLs that contain malicious scripts. This may allow an attacker to siphon sensitive information or execute arbitrary web scripts within the context of the browser.

Information Disclosure
Exploitation of this vulnerability will grant an attacker access to the full installation path of the osCmax software on the system. This is useful for reconnaissance purposes by the attacker.

Unrestricted File Upload
This vulnerability allows an attacker to bypass certain security restrictions on the system, allowing the attacker to upload arbitrary files to the system.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 31875 - osCMax Multiple Vulnerabilities (20131213) (Zero-Day)

Mitigation:

No mitigation is available.

Links:

CVE(s):