CVE-2015-2165 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Report Viewer in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4.x 5.x and 6.x allow remote attackers to inject arbitrary web script or HTML via the (1) portal (2) fromDate (3) toDate (4) fromTime (5) toTime (6) kword (7) uname (8) pname (9) sname (10) atype or (11) atitle parameter to top-links.jsp; (12) portal or (13) uid parameter to (a) page-summary.jsp or (b) service-summary.jsp; (14) portal (15) fromDate (16) toDate (17) fromTime (18) toTime (19) sortDirection (20) kword (21) uname (22) pname (23) sname (24) file (25) atype or (26) atitle parameter to (c) top-useragent-devices.jsp or (d) top-interest-areas.jsp; (27) fromDate (28) toDate (29) fromTime (30) toTime (31) sortDirection (32) kword (33) uname (34) pname (35) sname (36) file (37) atype or (38) atitle parameter to top-message-services.jsp; (39) portal (40) fromDate (41) toDate (42) fromTime (43) toTime (44) orderBy (45) sortDirection (46) kword (47) uname (48) pname (49) sname (50) file (51) atype or (52) atitle parameter to (e) user-statistics.jsp (f) top-web-pages.jsp (g) top-devices.jsp (h) top-pages.jsp (i) session-summary.jsp (j) top-providers.jsp (k) top-modules.jsp or (l) top-services.jsp; (53) fromDate (54) toDate (55) fromTime (56) toTime (57) orderBy (58) sortDirection (59) uid (60) uid2 (61) kword (62) uname (63) pname (64) sname (65) file (66) atype or (67) atitle parameter to message-shortcode-summary.jsp; (68) fromDate (69) toDate (70) fromTime (71) toTime (72) orderBy (73) sortDirection (74) uid (75) kword (76) uname (77) pname (78) sname (79) file (80) atype or (81) atitle parameter to (m) message-providers-summary.jsp or (n) message-services-summary.jsp; (82) kword (83) uname (84) pname (85) sname (86) file (87) atype or (88) atitle parameter to license-summary.jsp; (89) portal (90) fromDate (91) toDate (92) fromTime (93) toTime (94) orderBy (95) sortDirection (96) uid (97) uid2 (98) kword (99) uname (100) pname (101) sname (102) file (103) atype or (104) atitle parameter to useragent-device-summary.jsp; (105) fromDate (106) toDate (107) fromTime (108) toTime (109) orderBy (110) sortDirection (111) kword (112) uname (113) pname (114) sname (115) file (116) atype or (117) atitle parameter to (o) top-message-providers.jsp (p) top-message-devices.jsp (q) top-message-assets.jsp (r) top-message-downloads.jsp or (s) top-message-shortcode.jsp; (118) fromDate (119) toDate (120) fromTime (121) toTime (122) kword (123) uname (124) pname (125) sname (126) file (127) atype or (128) atitle parameter to request-summary.jsp; (129) portal parameter to link-summary-select.jsp (130) provider-summary-select.jsp or (131) module-summary-select.jsp; (132) portal (133) uid (134) kword (135) uname (136) pname (137) sname (138) file (139) atype or (140) atitle parameter to link-summary.jsp; (141) portal (142) fromDate (143) toDate (144) fromTime (145) toTime (146) orderBy (147) sortDirection (148) uid (149) kword (150) uname (151) pname (152) sname (153) file (154) atype or (155) atitle parameter to (t) provider-summary.jsp or (u) module-summary.jsp in reports/pages/.

Reference

http://packetstormsecurity.com/files/131232/Ericsson-Drutt-MSDP-Report-Viewer-Cross-Site-Scripting.html http://www.securityfocus.com/bid/73933