Flexense SyncBreeze 10.7 Cross Site Scripting

July 31, 2018 - Exploits


Flexense SyncBreeze versions 10.1 through 10.7 suffer from a cross site scripting vulnerability.

URL: l <>ocalhost/
Affected Component: */?n0ipr0cs<script>alert('XSS')</script>n0ipr0cs=1*

*Vulnerability Type:*
Cross Site Scripting

*Vendor of Product: *
Flexense- SyncBreeze

*Version: *
from v10.1 to v10.7

*Attack Type: *

*Impact: *
This attack allows an attacker code execution. The vulnerability affects
the confidentiality of personal data, possible theft of confidential
information, for example credentials of session, cookie information,
personal information, or a possible loss of control of the PC.

SyncBreeze is a fast, powerful and reliable file synchronization solution
for local disks, network shares, NAS storage devices and enterprise storage
systems. Users are provided with multiple one-way and two-way file
synchronization modes, periodic file synchronization, real-time file
synchronization, bit-level file synchronization, multi-stream file
synchronization, background file synchronization and much more.

This vulnerability have been discovered by
Francisco Javier Santiago VA!zquez  aka "n0ipr0cs"

*Disclosure Timeline:*
April 07, 2018: Vulnerability acquired by Francisco Javier Santiago
VA!zquez. aka "n0ipr0cs".
April 07, 2018: Responsible disclosure to Flexense Security Team.
April 18, 2018: Second Message Responsible disclosure to Flexense Security
April 22, 2018: Responsible disclosure to Mitre and use CVE-2018-10294.
April 24, 2018:  Feedback to Mitre and to Flexense. I have asked please
update the website in
April 12, 2018: The vulnerability has been fixed.The new product version
(v10.8) fixes a number of bugs and security vulnerabilities, this include
April 30, 2018: Disclosure of vulnerability.

F. Javier Santiago VA!zquez


Leave a Reply

Your email address will not be published. Required fields are marked *