PT-2014-01: Cross-Site Scripting in Nixu Namesurfer Vulnerable softwareNixu Namesurfer Version: 7.2.2 and earlierLink: http://www.nixusoftware.com/our_products_ipam.htmlSeverity levelSeverity level: Medium Impact: Cross-Site Scripting Access Vector: Remote CVSS v2: Base Score: 4.3 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)CVE: not assignedSoftware descriptionNixu Namesurfer implements a unified system for manageming DNS servers via web interface.Vulnerability descriptionThe specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in Nixu Namesurfer.The vulnerability allows an attacker to inject a malicious code into a page generated by the web-based system. This code will be executed on the victim’s computer when he/she opens this page. At that, the malicious code will interact with the attacker’s web server.How to fixUpdate your sofware up to the latest versionAdvisory status 16.01.2014 - Vendor gets vulnerability details 14.03.2014 - Vendor releases fixed version and details 27.03.2014 - Public disclosureCreditsThe vulnerability was detected by Alexey Osipov, Alexander Tlyapov, and Valentin Shilnenkov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2014-01 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/