- Vendor: J2 Innovations
- Product: FIN Stack
- Version: 4.0
- CVE: CVE-2017-11175
- CVSS3.0 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C)
The authentication webform is vulnerable to reflected XSS via the query string to /login.
An attack is performed by manipulation of the URL, which points to the login page. The attack doesn't require authentication.
http://<domain>/login?<malicious code goes here>.
http://example.com/login?a%22%3E%3Cscript%3Ealert%28%27MIR%20XSS%20Test%27%29%3C/script%3Ea=1
- 2017-07-05 - Vendor has been informed
- 2017-07-11 - Submitted request for a CVE number to Mitre
- 2017-07-12 - Mitre assigned CVE-2017-11175
- 2017-08-25 - Innovations says that it will take a month or two to fix