Good for Enterprise应用程序跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121880 漏洞类型 跨站脚本
发布时间 2013-09-25 更新时间 2013-09-25
CVE编号 CVE-2013-5118 CNNVD-ID CNNVD-201309-459
漏洞平台 Hardware CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/28555
https://www.securityfocus.com/bid/62627
https://cxsecurity.com/issue/WLB-2013090172
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201309-459
|漏洞详情
GoodforEnterprise是美国Good公司的一套移动协同办公软件。该软件包含电子邮件、联系人、日历、日程安排等。基于iOS系统上的GoodforEnterprise应用程序2.2.3及之前的版本中存在跨站脚本漏洞。远程攻击者可借助HTML电子邮件消息利用该漏洞注入任意Web脚本或HTML。
|漏洞EXP
The vulnerable versions are v2.2.2.1611 and earlier
 
Proof of Concept:
HTML Email including the following payload will execute Javascript statements when the victim open the email using the vulnerable version.
 
Payload:
<body>
<div>
<script>alert('XSS Here')</script>
</div>
</body>
 
Remediation:
I worked with the Good people to close the issue, I provided some guidance and feedback and agreed with them to not disclose it until they fix it.

The new release is now available:
Update the "Good for Enterprise" iOS application to 2.2.4.1659 or newer
 
References:
https://www.roblest.com/#research:CVE-2013-5118 

Can the comunity please provide feedback and comments in order to ensure the fix is working well

Many thanks

Mario
|受影响的产品
Good Technology Good for Enterprise for iOS 2.2.2.1611
|参考资料

来源:www.roblest.com
链接:https://www.roblest.com/#research:CVE-2013-5118
来源:BUGTRAQ
名称:20130924CVE-2013-5118-XSSGoodforEnterpriseiOS
链接:http://archives.neohapsis.com/archives/bugtraq/2013-09/0114.html