Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities
Exploit Title: Webs ID /login.jsp &error Parameter Reflected XSS (Cross-site Scripting) Security
Vendor: Webs, Inc
Product: Webs ID
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]
(1) Vendor & Product Description:
Product & Vulnerable Versions:
Vendor URL & download:
Webs ID can be obtained from here,
Terms of Service Overview:
“You represent that you are fully able and competent to enter into the terms, conditions, obligations, representations and warranties set forth in these Terms of Service. If you are using or creating a Website or Application on or through Webs.com as a representative of a company or legal entity, (i) you represent that you have the authority to enter into this Agreement on behalf of that company or entity, and (ii) you agree that the terms “you" and “your" in this Agreement refers to your company or legal entity. "
(2) Vulnerability Details:
Webs ID web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.
Several other Webs ID products 0-day vulnerabilities have been found by some other bug hunter researchers before. Webs ID has patched some of them. Gmane (pronounced “mane") is an e-mail to news gateway. It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list’s inclusion on the service. It has published suggestions, advisories, solutions related to XSS vulnerabilities.
(2.1) The first code programming flaw occurs atoccurs at “/login.jsp?" page with “&error" parameter.