Phone Lines icon GFI Support

Articles in this section

See more

Stored XSS vulnerability in Kerio Connect 8.1 (CVE-2014-7304)

Author: Luis Fernandes Updated

Answer

Overview

October 6, 2014

The reported vulnerability involves a stored XSS vulnerability present in the calendar feature of Kerio Connect 8.1.
 
An authenticated user triggers the vulnerability by inserting malicious JavaScript code into a web page then, using a shared agenda, executes the code in the context of another user.
 
Reported by Géraud De Drouas from French Network and Information Security Agency (ANSSI).

Impact

Disclosure of sensitive information (session cookie for example).

CVSS Base Score: 5.5

Impact Subscore: 4.9

Exploitability Subscore: 8

Overall CVSS Score: 4.3

CVSS v2 Vector (AV:N/AC:L/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

Vulnerable versions

Kerio Connect 8.1.0

Kerio Connect 8.1.1

Kerio Connect 8.1.2

Kerio Connect 8.1.3

 

Technical details

Lack of user input control (CWE-79

 

Related articles