Sense of Security is one of Australia’s most trusted providers of cyber resilience, information security and risk management services.

Latest announcements
© Copyright Sense of Security

Security Advisory – SOS-09-003 – Infor SCM SupplyWEB Multiple Vulnerabilities

Release Date: 30-Apr-2009

Last Update:

Vendor Notification Date: 23-Apr-2009

Product: Infor SCM SupplyWEB

Platform: Windows (verified), possibly others

Affected versions: 10.1.2 (verified), possibly others

Severity Rating: Medium

Impact: XSS issue: cookie/credential theft, impersonation, loss
of confidentiality

Authorisation issue: loss of confidentiality

Local file inclusion: loss of confidentiality

Attack Vector: XSS issue: remote by authenticated/unauthenticated
user (depending on application component).

Authorisation issue: remote without authentication.

Local file inclusion issue: remote by authenticated
user.

Solution Status: Currently no solution

CVE reference: CVE-2009-1793
CVE-2009-1795
CVE-2009-1794

Details

Infor SCM SupplyWEB is a web-enabled Supplier Relationship Management solution. During an application penetration test Sense of Security identified multiple vulnerabilities within this application, including: Cross-site Scripting (XSS), insufficient access control, and Local File Inclusion problems.

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

The vendor has been advised of the issue, but has not yet issued a fix.

Discovered By

Brett Gervasoni from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

No Comments

Sorry, the comment form is closed at this time.