Tendoo CMS 1.3 Cross Site Scripting

2015.08.03

Credit: Arash Khazaei

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
# Google Dork: N/A
# Date: 28/7/2015
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://tendoo.org/
# Software Link: http://sourceforge.net/projects/tendoo-cms/
# Version: 1.3
# Tested on: Kali , Windows
# CVE : N/A
# Contact : 0xclay@gmail.com
######################
Introduction :
a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
######################
Stored Xss In http://localhost/tendoo/index.php/account/update In First
Name and Last Name Inputs
Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
When First Name And Last Name Loads
JavaScripts Code Will Be Excuted
POC :
https://i.leetfil.es/e992ad2d.jpg
Reflected Xss In http://localhost/tendoo/index.php/account/update?info=
Input Make Execute JavaScripts Codes
POC :
https://i.leetfil.es/454570b1.jpg
You Can See Javascript Alerts In Pictures .
Discovered By Arash Khazaei

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Tendoo CMS 1.3 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.