A vulnerability, which was classified as problematic, was found in ServersCheck Monitoring Software up to 14.2.2. This affects an unknown code of the file settings-save.html. The manipulation of the argument settings_SMS_ALERT_TYPE as part of a Parameter leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. The summary by CVE is:

ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page).

The bug was discovered 12/21/2017. The weakness was published 12/27/2017 (Website). The advisory is shared at serverscheck.com. This vulnerability is uniquely identified as CVE-2017-17832 since 12/21/2017. It is possible to initiate the attack remotely. A authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 6 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:settings-save.html it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 14.2.3 eliminates this vulnerability.

Similar entry is available at 125834.

Productinfo

Vendor

• ServersCheck

Name

• Monitoring Software

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion