[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2014-5391 DOM-based Cross-Site Scripting (XSS) in "JobScheduler"
-----BEGIN PGP SIGNED MESSAGE-----
"DOM-based Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "JobScheduler" product
Software- & Organisations-Service GmbH
"JobScheduler is a workload automation tool. It is used to launch JobScheduler objects,
such as jobs and/or orders, at the occurrence of time, file or calendar events. JobScheduler
was recognised in 2012 by Gartner Inc. with a placement in their Magic Quadrant for workload
automation. JobScheduler provides solutions from simple to complex scheduling scenarios.
It is available with an open source or a commercial licence."
- source: http://www.sos-berlin.com/modules/cjaycontent/index.php?id=osource_scheduler_introduction_en.htm
This vulnerability affects versions of JobScheduler prior to 1.7.4241
as well as versions prior to 1.6.4246.
The vendor has released patches for versions 1.7.x and 1.6.x at
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Using a specially crafted request to access the web interface of JobScheduler it
is possible to execute DOM-based Cross-Site Scripting (XSS) attacks. The content of
the hash-part is written using document.write() from location.hash directly into the HTML,
resulting in the DOM-based XSS.
Proof of concept
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
-----END PGP SIGNATURE-----