Thelia 2.2.1 Cross Site Scripting

Credit: Curesec
Risk: Low
Local: No
Remote: Yes

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Thelia 2.2.1 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description Thelia 2.2.1 suffers from an XSS vulnerability. With this, it is for example possible to inject JavaScript keyloggers, or to bypass CSRF protection. 3. Proof of Concept http://localhost/thelia_2.1.5/web/admin/home/stats?month=95<img src=no onerror=alert(1)>&year=20155<img src=no onerror=alert(2)> 4. Solution This issue has not been fixed by the vendor 5. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top