goYWP WebPress 13.00.06 Cross Site Scripting

2014.12.10
Credit: Wang Jing
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

*CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities Product: WebPress Vendor: goYWP Vulnerable Versions: 13.00.06 Tested Version: 13.00.06 Advisory Publication: Dec 09, 2014 Latest Update: Dec 09, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-8751 Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Product* "WebPress is the foundation on which we build web sites. It?s our unique Content Management System (CMS), flexible enough for us to build your dream site, and easy enough for you to maintain it yourself." *(2) Vulnerability Details:* goYWP WebPress is vulnerable to XSS attacks. *(2.1)* The first security vulnerability occurs at "/search.php" page with "&search_param" parameter in HTTP GET. *(2.2)* The second security vulnerability occurs at "/forms.php" (form submission ) page with "&name", "&address" "&comment" parameters in HTTP POST. *References:* http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://www.goywp.com/view/cms http://www.goywp.com/demo.php http://cwe.mitre.org http://cve.mitre.org/

References:

http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://www.goywp.com/view/cms
http://www.goywp.com/demo.php
http://cwe.mitre.org
http://cve.mitre.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top