Flexense SyncBreeze versions 10.1 through 10.7 suffer from a cross site scripting vulnerability.
*Description:* URL: l <http://mysite.com/forum/away.php?s=>ocalhost/ Affected Component: */?n0ipr0cs<script>alert('XSS')</script>n0ipr0cs=1* *Vulnerability Type:* Cross Site Scripting https://cwe.mitre.org/data/definitions/79.html *Vendor of Product: * Flexense- SyncBreeze *Version: * from v10.1 to v10.7 *Attack Type: * Remote *Impact: * This attack allows an attacker code execution. The vulnerability affects the confidentiality of personal data, possible theft of confidential information, for example credentials of session, cookie information, personal information, or a possible loss of control of the PC. *About:* SyncBreeze is a fast, powerful and reliable file synchronization solution for local disks, network shares, NAS storage devices and enterprise storage systems. Users are provided with multiple one-way and two-way file synchronization modes, periodic file synchronization, real-time file synchronization, bit-level file synchronization, multi-stream file synchronization, background file synchronization and much more. *Credits:* This vulnerability have been discovered by Francisco Javier Santiago VA!zquez aka "n0ipr0cs" https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050 Tweets by n0ipr0cs *Disclosure Timeline:* April 07, 2018: Vulnerability acquired by Francisco Javier Santiago VA!zquez. aka "n0ipr0cs". April 07, 2018: Responsible disclosure to Flexense Security Team. April 18, 2018: Second Message Responsible disclosure to Flexense Security Team. April 22, 2018: Responsible disclosure to Mitre and use CVE-2018-10294. April 24, 2018: Feedback to Mitre and to Flexense. I have asked please update the website in April 12, 2018: The vulnerability has been fixed.The new product version (v10.8) fixes a number of bugs and security vulnerabilities, this include CVE-2018-10564 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10564> April 30, 2018: Disclosure of vulnerability. *Link:* http://blog.n0ipr0cs.io/post/2018/04/29/XSS-Flexense- DiskBoss-Enterprise-all-versions <https://about.me/javiersantiagovazquez?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=gmail_api&utm_content=thumb> F. Javier Santiago VA!zquez about.me/javiersantiagovazquez <https://about.me/javiersantiagovazquez?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=gmail_api&utm_content=thumb>