The Aternity webserver, version 9 and prior, is reportedly vulnerable to cross-site scripting (XSS) on several web pages, and remote code execution via inclusion of untrusted functionality by default due to improper authentication before execution.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-5061
Reportedly, the Aternity HTTPAgent, MacAgent, getExternalURL and retrieveTrustedUrl pages are susceptible to Cross-site scripting (XSS). An attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server.
A remote unauthenticated attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server, or execute code on the server with SYSTEM privileges.
The CERT/CC is currently unaware of a practical solution to this problem. However, the following workarounds are recommended:
Restrict port 14777
Thanks to Matthew Benton and Richard Kelley for reporting this vulnerability.
This document was written by Garret Wassermann.