Vulnerability Note VU#546340
QPR Portal contains multiple vulnerabilities
QPR Portal versions 2014.1.1 and older contain reflected and stored cross-site scripting vulnerabilities, and versions 2012.2.0 and older contain an insecure direct object reference vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
QPR Portal versions 2014.1.1 and older contain a stored cross-site scripting vulnerability (CVE-2014-8266) affecting the title and body fields of the note creation page. A reflected cross-site scripting vulnerability (CVE-2014-8267) affects the RID parameter.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session or perform unauthorized operations on other users' notes.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|QPR Software||Affected||18 Nov 2014||23 Jan 2015|
CVSS Metrics (Learn More)
Thanks to Mukhammad Khalilov of HelpAG for reporting these vulnerabilities.
This document was written by Joel Land.
- CVE IDs: CVE-2014-8266 CVE-2014-8267 CVE-2014-8268
- Date Public: 23 Jan 2015
- Date First Published: 23 Jan 2015
- Date Last Updated: 23 Jan 2015
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.