.. / CVE-2014-9606

Exploit for Netsweeper 4.0.8 - Cross-Site Scripting (CVE-2014-9606)

Description:

Multiple cross-site scripting vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.

Nuclei Template

View the template here CVE-2014-9606.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2014/CVE-2014-9606.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2014-9606
http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html
https://github.com/ARPSyndicate/kenzer-templates
https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz

.. / CVE-2014-9606 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Netsweeper 4.0.8 - Cross-Site Scripting (CVE-2014-9606)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2014-9606