CVE-2015-9248

Vulnerability

Skybox Platform versions prior to 7.5.201 are affected by stored cross-site scripting (XSS) vulnerabilities in the Change Manager component. The vulnerability exists in the /skyboxview/webskybox/tickets endpoint, where the title, Comments, or Description fields do not properly sanitize user-supplied input. An authenticated user can inject arbitrary JavaScript or HTML into these fields, which is later rendered to other users viewing the ticket [1].

Exploitation

An attacker must have valid authentication credentials to the Skybox Platform. They can create or edit a ticket in Change Manager and inject malicious script into the title, Comments, or Description fields. When other users (including administrators) view the affected ticket, the injected script executes in their browser context. No additional user interaction beyond viewing the ticket is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking (theft of authentication cookies), exfiltration of sensitive data displayed on the page, or performing actions on behalf of the victim. The severity is heightened because the XSS is stored and self-propagates to every user who accesses the compromised ticket [1].

Mitigation

The vendor released version 7.5.201 to address this and other vulnerabilities. All installations should be upgraded to Skybox Platform 7.5.201 or later. No workarounds are documented; input validation and output encoding should be enforced for all user-facing fields as a general best practice. The vulnerability is not listed on the CISA KEV at the time of publication [1].