SmarterStats 11.3.6347 - Cross-Site Scripting

sqlhacker 2017-09-27 webapps aspx
----------------------------
Title: CVE-2017-14620
----------------------------
TL;DR: SmarterStats Version 11.3.6347, and possibly prior versions, 
will Render the Referer Field of HTTP Logfiles in URL /Data/Reports/ReferringURLsWithQueries
----------------------------
Author: David Hoyt
Date: September 29, 2017
----------------------------
CVSS:3.0 Metrics
CVSS:3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C/CR:M/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:L/MI:N/MA:N
CVSS:3.0 Scores: Base Score 4.3, Temporal Score: 4.1, Environmental Score: 4.1
----------------------------
Keywords
----------------------------
CVE-2017-14620, CWE-533, CWE-532, CWE-117, CWE-93, CAPEC-86, CAPEC-79, Stored Document Object Model Cross Site Scripting (Stored DOM XSS), 
Client Side Request Forgery (CSRF), Open Redirection, HTTP Logfiles, Exploit, PoC, HTML Tags, SmarterStats 11.3
----------------------------
CVE-2017-14620 Requirements
----------------------------
	SmarterStats Version 11.3
	HTTP Proxy (BurpSuite, Fiddler)
	Web Browser (Chrome - Current/Stable)
	User Interaction Required - Must Click Referer Link Report
	Supported Windows OS
	Microsoft .NET 4.5
----------------------------
CVE-2017-14620 Reproduction
----------------------------
Vendor Link https://www.smartertools.com/smarterstats/website-analytics
Download Link https://www.smartertools.com/smarterstats/downloads

Step 1: Test with an HTTP Logfile containing a URL-encoded String to the Referer Field with HTML Tags to be Rendered in a Browser:

http://www.bing.com/search?q=Loading\n
\n