CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability


CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

Exploit Title: TennisConnect “TennisConnect COMPONENTS System” /index.cfm pid Parameter XSS

Product: TennisConnect COMPONENTS System

Vendor: TennisConnect

Vulnerable Versions: 9.927

Tested Version: 9.927

Advisory Publication: Nov 18, 2014

Latest Update: Nov 18, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8490

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]

Advisory Details:

(1) Vendor URL:

Product Description:

TennisConnect COMPONENTS

* Contact Manager (online player database)

* Interactive Calendar including online enrollment

* League & Ladder Management through Tencap Tennis

* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)

* Multi-Administrator / security system with Page Groups

* Member Administration

* MobileBuilder

* Online Tennis Court Scheduler

* Player Matching (Find-a-Game)

* Web Site Builder (hosted web site and editing tools at www. your domain name .com)

(2) Vulnerability Details.

TennisConnect COMPONENTS System has a security problem. It is vulnerable to XSS attacks.

(2.1) The vulnerability occurs at “/index.cfm?” page, with “&pid” parameter.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s