Thelia 2.2.1 Cross Site Scripting

2015.11.17

Credit: Curesec

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Thelia 2.2.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: info@thelia.net
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
Thelia 2.2.1 suffers from an XSS vulnerability. With this, it is for example
possible to inject JavaScript keyloggers, or to bypass CSRF protection.
3. Proof of Concept
http://localhost/thelia_2.1.5/web/admin/home/stats?month=95<img src=no onerror=alert(1)>&year=20155<img src=no onerror=alert(2)>
4. Solution
This issue has not been fixed by the vendor
5. Report Timeline
09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Thelia-221-XSS-90.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Thelia 2.2.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.