Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
EMS Master Calendar Reflected XSS Vulnerability (<8.0.0.20180520)
Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters are not properly sanitized, allowing malicious attackers to send a crafted URL and execute code in the context of the user's browser.
------------------------------------------
Additional Information:
CVE-Reference: CVE-2018-11628
Product: EMS Master Calendar
Vendor: EMS Software
Vulnerable Version: Before 8.0.0.20180521
Vulnerability Type: Reflective Cross Site Scripting (XSS)
Attack Type: Remote
Attack Vector: Injection into vulnerable URL parameter
Vendor Acknowledged: True
Vendor Notification Timeline:
1. 5/8/2018: Contacted EMS Software to report vulnerability.
2. 5/14/2018: EMS Software responded with acknowledgement of vulnerability and information regarding the patched software version number.
3. 5/31/2018: Submitted to MITRE for CVE assignment
Mitigation: EMS Software responded that they have patched the product and advise updating it to a version after 8.0.0.201805210 to remediate the XSS vulnerability in the Master Calendar component.
Discovered and Provided:
- Chris Barretto of OCD Tech
- cbarretto[at]ocd-tech.com
- @TheOCDTech
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11628
https://docs.emssoftware.com/Content/V44.1_ReleaseNotes.htm
https://ocd-tech.com/blog/
https://twitter.com/TheOCDTech
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment