AOH :: HP Unsorted S :: BU-1904.HTM

Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities



Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities



=========================================
Yaniv Miron aka "Lament" Advisory Feb 28, 2010
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities
=========================================

=====================
I. BACKGROUND
=====================
TrackWise=AE by Sparta Systems: A Holistic Approach to Enterprise Quality Management

TrackWise by Sparta Systems is an enterprise quality management solution (EQMS)
that optimizes quality, ensures compliance and reduces costs for world-class clients
across a range of industries. TrackWise is the only enterprise quality management solution that offers the flexibility and configurability

to adapt to company-specific business processes,
enabling our world-class clients across a range of industries to define, track, manage
and report on the core activities vital to their success.

http://www.spartasystems.com/trackwise-eqms/

=====================
II. DESCRIPTION
=====================

A malicious attacker may inject scripts into the TrackWise application.

=====================
III. ANALYSIS
=====================

Exploitation of this vulnerability results in the execution of arbitrary
code using a malicious link.

=====================
IV. EXPLOIT
=====================

">http://example.com/[TrackWiseDir]/servlet/TeamAccess/Login/">

">http://example.com/[TrackWiseDir]/servlet/TeamAccess/BatchEditProgress.html/">

=====================
V. DISCLOSURE TIMELINE
=====================

Jan 2009 Vulnerability Found
Jan 2009 Vendor Notification
Feb 2010 Public Disclosure

=====================
VI. CREDIT
=====================

Yaniv Miron aka "Lament".
lament@ilhack.org 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.