Description
Reflected cross-site scripting vulnerability (XSS) in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter.
Affected Software
Related
{"id": "CVE-2020-22839", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-22839", "description": "Reflected cross-site scripting vulnerability (XSS) in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter.", "published": "2021-02-09T20:15:00", "modified": "2021-02-12T21:38:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22839", "reporter": "cve@mitre.org", "references": ["https://sohambakore.medium.com/b2evolution-cms-reflected-xss-in-tab-type-parameter-in-evoadm-php-38886216cdd3", "http://packetstormsecurity.com/files/161363/b2evolution-CMS-6.11.6-Cross-Site-Scripting.html", "https://www.exploit-db.com/exploits/49555"], "cvelist": ["CVE-2020-22839"], "immutableFields": [], "lastseen": "2022-03-23T15:13:19", "viewCount": 182, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49555"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161363"]}], "rev": 4}, "score": {"value": 4.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49555"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161363"]}]}, "exploitation": null, "vulnersScore": 4.5}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:b2evolution:b2evolution_cms:6.11.6"], "cpe23": ["cpe:2.3:a:b2evolution:b2evolution_cms:6.11.6:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "b2evolution:b2evolution_cms", "version": "6.11.6", "operator": "eq", "name": "b2evolution b2evolution cms"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:b2evolution:b2evolution_cms:6.11.6:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://sohambakore.medium.com/b2evolution-cms-reflected-xss-in-tab-type-parameter-in-evoadm-php-38886216cdd3", "name": "https://sohambakore.medium.com/b2evolution-cms-reflected-xss-in-tab-type-parameter-in-evoadm-php-38886216cdd3", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/161363/b2evolution-CMS-6.11.6-Cross-Site-Scripting.html", "name": "http://packetstormsecurity.com/files/161363/b2evolution-CMS-6.11.6-Cross-Site-Scripting.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/49555", "name": "https://www.exploit-db.com/exploits/49555", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"exploitdb": [{"lastseen": "2022-01-13T05:29:37", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-02-11T00:00:00", "type": "exploitdb", "title": "b2evolution 6.11.6 - 'tab3' Reflected XSS", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-22839"], "modified": "2021-02-11T00:00:00", "id": "EDB-ID:49555", "href": "https://www.exploit-db.com/exploits/49555", "sourceData": "# Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS\r\n# CVE: CVE-2020-22839\r\n# Date: 10/02/2021\r\n# Exploit Author: Nakul Ratti, Soham Bakore\r\n# Vendor Homepage: https://b2evolution.net/\r\n# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405\r\n# Version: 6.11.6\r\n# Tested on: latest version of Chrome, Firefox on Windows and Linux\r\n\r\n--------------------------Proof of Concept-----------------------\r\n\r\nSteps to Reproduce:\r\n\r\n1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique.\r\n2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered which will execute the malicious javascript payload in users browser.\r\n3. The vulnerable parameter in this case is \u201ctab3\u201d.", "sourceHref": "https://www.exploit-db.com/download/49555", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2021-02-10T15:42:14", "description": "", "published": "2021-02-10T00:00:00", "type": "packetstorm", "title": "b2evolution CMS 6.11.6 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-22839"], "modified": "2021-02-10T00:00:00", "id": "PACKETSTORM:161363", "href": "https://packetstormsecurity.com/files/161363/b2evolution-CMS-6.11.6-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: *Reflected XSS in b2evolution CMS 6.11.6 via tab3 \nparameter in evoadm.php* \n# CVE : *CVE-2020-22839* \n# Date: 10/02/2021 \n# Exploit Author: Nakul Ratti, Soham Bakore \n# Vendor Homepage: https://b2evolution.net/ \n# Software Link: \nhttps://b2evolution.net/downloads/6-11-6-stable?download=12405 \n# Version: 6.11.6 \n# Tested on: latest version of Chrome, Firefox on Windows and Linux \n \n \nVulnerable File: \n-------------------------- \nhttp://host/evoadm.php \n \nVulnerable Issue: \n-------------------------- \nTab3 parameter has no input validation. \n \n--------------------------Proof of Concept----------------------- \nSteps to Reproduce: \n \n1. Send the following URL *http://HOST/evoadm.php <http://host/evoadm.php>?* \n*.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1* \nto \nthe logged in victim using any social engineering technique. \n2. When an unsuspecting user with high privileges opens this URL, XSS will \nbe triggered which will execute the malicious javascript payload in users \nbrowser. \n3. The vulnerable parameter in this case is \u201c*tab3*\u201d. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161363/b2evolutioncms6116-xss.txt"}]}
CVE-2020-22839
