CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
Vulnerable Versions: Version 6
Tested Version: Version 6
Advisory Publication: Feb 12, 2015
Latest Update: Feb 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8753
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]
(1) Vendor & Product Description:
Product & Version:
Vendor URL & Download:
Cit-e-Net can be downloaded from here,
“We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.”
“Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.”
(2) Vulnerability Details:
Cit-e-Access has a security problem. It can be exploited by XSS attacks.
(2.1) The first vulnerability occurs at “/eventscalendar/index.cfm?” page with “&DID” parameter in HTTP GET.
(2.2) The second vulnerability occurs at “/search/index.cfm?” page with “&keyword” parameter in HTTP POST.
(2.3) The third vulnerability occurs at “/news/index.cfm” page with “&jump2″ “&DID” parameter in HTTP GET.
(2.4) The fourth vulnerability occurs at “eventscalendar?” page with “&TPID” parameter in HTTP GET.
(2.5) The fifth vulnerability occurs at “/meetings/index.cfm?” page with “&DID” parameter in HTTP GET.
Leave message to vendor. No response.