{"id": "PACKETSTORM:127262", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ZeroCMS 1.0 Cross Site Scripting", "description": "", "published": "2014-06-27T00:00:00", "modified": "2014-06-27T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "href": "https://packetstormsecurity.com/files/127262/ZeroCMS-1.0-Cross-Site-Scripting.html", "reporter": "Filippos Mastrogiannis", "references": [], "cvelist": ["CVE-2014-4195"], "lastseen": "2016-12-05T22:25:21", "viewCount": 5, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2016-12-05T22:25:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-4195"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804640"]}], "modified": "2016-12-05T22:25:21", "rev": 2}, "vulnersScore": 4.5}, "sourceHref": "https://packetstormsecurity.com/files/download/127262/zerocms10-xss.txt", "sourceData": "`ZeroCMS v1.0 Cross-Site Scripting Vulnerability \n \nVendor: Another Awesome Stuff \nProduct web page: http://www.aas9.in/zerocms \nAffected version: 1.0 \nSeverity: Medium \nCVE: CVE-2014-4195 \nDate: 20/06/2014 \n \nDiscovered by: Filippos Mastrogiannis (@filipposmastro) \n \nZeroCMS is a very simple Content Management System Built using PHP and MySQL. \n \nDescription: ZeroCMS v1.0 is vulnerable to Cross-Site Scripting (XSS) \n \nA cross site scripting vulnerability identified in the variable: \"article_id\" of \nthe \"zero_view_article.php\" file which allows an attacker to execute arbitrary \nscript code in the browser of an unsuspecting user in the context of the affected site. \n \nThis allows several different attack opportunities, mostly hijacking the \ncurrent session of the user or changing the look of the page by changing \nthe HTML on the fly to steal the user's credentials. This happens \nbecause the user input is interpreted as HTML/JavaScript by the browser. \n \nProof Of Concept: \n \nIn order to trigger the vulnerability and to display an alert box with the session \ncookie use the following standard payload: \n \nhttp://localhost/zerocms/zero_view_article.php?article_id=<script>alert(document.cookie);</script> \n \n \n \n \n \n \n`\n"}

{"cve": [{"lastseen": "2020-10-03T12:01:18", "description": "Cross-site scripting (XSS) vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the article_id parameter.", "edition": 3, "cvss3": {}, "published": "2014-07-03T14:55:00", "title": "CVE-2014-4195", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4195"], "modified": "2014-07-09T01:29:00", "cpe": ["cpe:/a:aas9:zerocms:1.0"], "id": "CVE-2014-4195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4195", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:aas9:zerocms:1.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-08T19:05:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4194", "CVE-2014-4710", "CVE-2014-4034", "CVE-2014-4195"], "description": "The host is installed with ZeroCMS and\n is prone to privilege escalation, cross-site scripting and sql injection\n vulnerabilities.", "modified": "2020-05-06T00:00:00", "published": "2014-06-16T00:00:00", "id": "OPENVAS:1361412562310804640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804640", "type": "openvas", "title": "ZeroCMS Privilege Escalation & SQL Injection Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ZeroCMS Privilege Escalation & SQL Injection Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804640\");\n script_version(\"2020-05-06T07:10:15+0000\");\n script_cve_id(\"CVE-2014-4034\", \"CVE-2014-4195\", \"CVE-2014-4194\", \"CVE-2014-4710\");\n script_bugtraq_id(67953, 68246, 68134, 68935);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:10:15 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-06-16 13:03:02 +0530 (Mon, 16 Jun 2014)\");\n script_name(\"ZeroCMS Privilege Escalation & SQL Injection Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is installed with ZeroCMS and\n is prone to privilege escalation, cross-site scripting and sql injection\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET\n request and check whether it is able execute sql query or not.\");\n\n script_tag(name:\"insight\", value:\"Input passed via the 'article_id' GET\n parameter to zero_view_article.php script, 'access_level' POST parameter to\n zero_transact_user.php script, 'Full Name' field to zero_user_account.php\n script and 'article_id' POST parameter to the zero_transact_article.php\n script is not properly sanitised before being used.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attacker to gain unauthorized privileges and manipulate SQL queries in the\n backend database allowing for the manipulation or disclosure of arbitrary\n data, execute arbitrary HTML and script code in a user's browser session in\n the context of an affected site.\");\n\n script_tag(name:\"affected\", value:\"ZeroCMS version 1.0\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/33743\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/33702\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/127005\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/127164\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/127262\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.php\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nhttp_port = http_get_port(default:80);\n\nif(!http_can_host_php(port:http_port)){\n exit(0);\n}\n\nforeach dir (make_list_unique(\"/\", \"/cms\", \"/zerocms\", \"/ZeroCMS\", http_cgi_dirs(port:http_port)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n rcvRes = http_get_cache(item:string(dir, \"/index.php\"), port:http_port);\n\n if (\">ZeroCMS<\" >< rcvRes && \">Login<\" >< rcvRes)\n {\n url = dir + \"/zero_view_article.php?article_id=1337+union+select+concat\" +\n \"(0x53514c2d496e6a656374696f6e2d54657374),1,1,1,1,1\" ;\n\n if(http_vuln_check(port:http_port, url:url, check_header:TRUE,\n pattern:\"SQL-Injection-Test<\",\n extra_check: make_list(\">Login<\", \">ZeroCMS<\")))\n {\n security_message(port:http_port);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}