CVE-2017-16841

Vulnerability

LanSweeper version 6.0.100.75 contains a cross-site scripting vulnerability in the /Calendar/CalendarActions.aspx page. The description parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript. The vulnerability can be triggered by crafting a URL with a malicious description value [1].

Exploitation

An attacker can exploit this vulnerability by crafting a specially crafted URL and enticing a victim to click it. No authentication or special privileges are required. For example, a URL like http://victim.com/Calendar/CalendarActions.aspx?action=scheduleinfo&id=2&description=XSS/HTMLI can be used to inject script code. The attacker can also use other vulnerable parameters in different pages such as /Scanning/report.aspx and /Software/report.aspx [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, or further attacks against the LanSweeper application and its users. The attacker can potentially perform actions on behalf of the victim, such as modifying or deleting calendar events [1].

Mitigation

The vendor has been contacted and a patch is available. Users should update LanSweeper to the latest version that fixes this vulnerability. No workaround is provided in the reference [1].