NetCracker Resource Management 8.0 - XSS Vulnerability

[jychia.sec () gmail com]

# Vulnerability type: Cross-site Scripting 
# Vendor: http://www.netcracker.com/
# Product: NetCracker Resource Management System
# Affected version: =< 8.0
# Patched version: 8.2
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
# CVE ID: CVE-2015-2207

# PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in multiple pages in NetCracker
Resource Management System and earlier allows authenticated users to
inject arbitrary javascript via multiple parameters.

# VULNERABLE PARAMETERS:
ctrl
- t90001_0_theform_selection
- _scroll
- tableName
- parent
- circuit
- return
- xname
- mpTransactionId
- (etc...)

# SAMPLE PAYLOAD
- <script>alert("XSS")</script>

# TIMELINE
- 28/02/2015: Vulnerability found
- 13/03/2015: Vendor informed
- 13/03/2015: Vendor responded and acknowledged
- 19/05/2015: Vendor fixed the issue
- 22/07/2015: Public disclosure