Lucene search
High-Tech BridgeHTB23098HistoryJul 04, 2012 - 12:00 a.m.
Cross-Site Scripting (XSS) in Redaxo
2012-07-0400:00:00
High-Tech Bridge
www.htbridge.com
30
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.008 Low
EPSS
Percentile
79.4%
High-Tech Bridge Security Research Lab has discovered vulnerability in Redaxo, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
- Cross-Site Scripting (XSS) in Redaxo: CVE-2012-3869
1.1 Input passed via the “subpage” GET parameter to /redaxo/index.php (when “page” is set to “user” or “template”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC (Proof of Concept) demonstrate the vulnerability:
http://[host]/redaxo/index.php?page=user&subpage=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
http://[host]/redaxo/index.php?page=templat e&subpage=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Related
packetstorm
packetstorm
Redaxo 4.4 Cross Site Scripting
2012-07-25 00:00:00
prion
prion
Cross site scripting
2012-08-13 20:55:00
cve
cve
CVE-2012-3869
2012-08-13 20:55:00
securityvulns
securityvulns
Cross-Site Scripting (XSS) in Redaxo
2012-08-13 00:00:00
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.008 Low
EPSS
Percentile
79.4%
Related for HTB23098