My first Cross-site scripting CVE-2017-9085

By performing a legal web audit (white box) of a client, I found myself in front of a Kodak InSite portal version 8.0.

After reviewing it from top to bottom, I found something curious: the portal had its own system for making a compatibility diagnosis to know if your web browser could work with the Kodak InSite portal.

As expected, this type of web diagnostics contained security deficiencies. Specifically, it was a JS function called “CSDU_DisplayDiagnosticApplet”, which allows code to be injected into the parameter “paramFile” using the GET method.

Without XSS:

With XSS:


After informing my client, I contacted Kodak, as it is my duty as Ethical Hacker to try to mitigate this security breach. After numerous e-mails exchanged with Kodak, I am informed that they have no way to validate this security breach if I do not give them access to the Kodak Insite portal that my client has installed. After this “absurd” excuse, I decided to make this vulnerability public through two sources:

I also told Kodak that I could try this problem on any of the Kodak InSite portals that google has indexed. We simply had to ponder “intitle: kodak insite” in google.

Using the second “public source” found in Google, we use one of two payloads from the POC in my packetstormsecurity publication.




I hope you liked it.


Leave a Reply

Your email address will not be published. Required fields are marked *