PRTG V8.1.2.1809 (All OS Versions):
http://www.paessler.com/
I have discovered two XSS bugs within PRTG version 8.1.2.1809. These bugs
are in the login.htm and error.htm documents.
These issues were possible because of a lack of input checking of the errormsg
Β and errorurl GET parameters within login.htm. Output encoding
routines were also
not consistently used throughout the application.
PoC:
The vendor was very responsive and has fixed these issues in version
8.2.0.1898/189 released on January 17th 2011.
β
Thanks,
Joshua Gimer