Lucene search
High-Tech BridgeHTB23166HistoryJul 24, 2013 - 12:00 a.m.
Cross-Site Scripting (XSS) in Twilight CMS
2013-07-2400:00:00
High-Tech Bridge
www.htbridge.com
15
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
55.5%
High-Tech Bridge Security Research Lab discovered vulnerability in Twilight CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
- Cross-Site Scripting (XSS) in Twilight CMS: CVE-2013-4899
The vulnerability exists due to insufficient filtration of user-supplied data appended to “/gallery/” URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript “alert()” function to display user’s cookies:
http://[host]/gallery//%f6%22%20onmouseover%3dalert%28document.cookie%29%20/ /
| CPE | Name | Operator | Version |
|---|---|---|---|
| twilight cms | le | 5.17 |
Related
prion
prion
Cross site scripting
2013-09-09 17:55:00
packetstorm
packetstorm
Twilight CMS 5.17 Cross Site Scripting
2013-08-22 00:00:00
securityvulns
securityvulns
Cross-Site Scripting (XSS) in Twilight CMS
2013-09-09 00:00:00
zdt
zdt
Twilight CMS 5.17 Cross Site Scripting Vulnerability
2013-08-23 00:00:00
cve
cve
CVE-2013-4899
2013-09-09 17:55:00
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
55.5%
Related for HTB23166