redaxscript 2.5.0 Cross Site Scripting

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: redaxscript 2.5.0  
Fixed in: 2.6.1  
Fixed Version Link: http://redaxscript.com/files/releases/  
redaxscript_2.6.1_full.zip  
Vendor Contact: [email protected]  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 10/02/2015  
Disclosed to 12/02/2015  
public:  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
CVSS  
  
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description  
  
There is a persistent XSS vulnerability when leaving comments. It requires the  
admin to hover over a link to trigger the injected code.  
  
This issue can lead to the injection of JavaScript keyloggers, or the bypassing  
of CSRF protection. In this case, this may lead to code execution.  
  
The issue has been partially fixed in version 2.6.0. However, it was still  
possible to inject a style attribute, making XSS in older browsers possible.  
This has been fixed in version 2.6.1.  
  
3. Proof of Concept  
  
  
1. Create a comment, as comment text use:  
comment" onmouseover=alert(1) foo="  
2. In the sidebar, hover over the comment to trigger the XSS.  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 2.6.1:  
  
http://redaxscript.com/files/releases/redaxscript_2.6.1_full.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
10/02/2015 Informed Vendor about Issue  
11/15/2015 Vendor releases partial fix  
11/24/2015 Informed vendor that fix is incomplete  
11/25/2015 Vendor releases fix  
12/02/2015 Disclosed to public  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/redaxscript-250-XSS-118.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`