CVE-2015-9247

Vulnerability

Skybox Platform versions before 7.5.401 are vulnerable to reflected cross-site scripting (XSS). Two independent injection points exist: a soapenv:Body element in /skyboxview/webservice/services/VersionRepositoryWebService, and the status parameter in /skyboxview/login.html. An attacker can inject arbitrary HTML or JavaScript that is reflected back to the user without proper sanitization. [1]

Exploitation

The attacker needs no authentication; the vulnerability is present in public-facing endpoints. For the SOAP endpoint, a crafted SOAP request containing malicious script in the soapenv:Body element triggers the reflection. For the login.html endpoint, the attacker sends a crafted URL with a malicious status parameter. The victim must click the crafted link or be redirected to it (e.g., via phishing). The injected script executes in the victim's browser in the context of the vulnerable application's origin. [1]

Impact

An attacker who successfully exploits this XSS can execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited by the browser's same-origin policy, but the attacker can access any resources exposed to the user's session within the Skybox Platform. [1]

Mitigation

The vulnerability is fixed in Skybox Platform version 7.5.401, released on or before the advisory publication date. Users should upgrade to version 7.5.401 or later. No workaround is described in the available references. [1]