TennisConnect 9.927 Cross Site Scripting
Posted on 20 December 2014
*CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability* Exploit Title: TennisConnect "TennisConnect COMPONENTS System" /index.cfm pid Parameter XSS Product: TennisConnect COMPONENTS System Vendor: TennisConnect Vulnerable Versions: 9.927 Tested Version: 9.927 Advisory Publication: Nov 18, 2014 Latest Update: Nov 18, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-8490 Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor URL:* http://www.tennisconnect.com/products.cfm#Components *Product Description:* TennisConnect COMPONENTS * Contact Manager (online player database) * Interactive Calendar including online enrollment * League & Ladder Management through Tencap Tennis * Group Email (including distribution lists, player reports, unlimited sending volume and frequency) * Multi-Administrator / security system with Page Groups * Member Administration * MobileBuilder * Online Tennis Court Scheduler * Player Matching (Find-a-Game) * Web Site Builder (hosted web site and editing tools at www. your domain name .com) *(2) Vulnerability Details:* TennisConnect COMPONENTS System is vulnerable to XSS attacks. *(2.1)* The vulnerability occurs at "/index.cfm?" page, with "&pid" parameter. *References:* http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490 -- Wang Jing School of Physical and Mathematical Sciences Nanyang Technological University, Singapore
