`Details
=======
Product: EasyDNNnews
Vulnerability: Reflected XSS
Author: Peter Lapp, lappsec () gmail com
CVE: None
Vulnerable Versions: <7.5
Fixed Version: 7.5
Summary
=======
>From the vendor's website: "EasyDNNnews is a very powerful DotNetNuke
module that enables non-technical users to publish and manage articles,
news, press releases, stories and editorials."
During an engagement it was discovered that reflected XSS could be achieved
in two locations by appending a bogus GET parameter that contained
JavaScript in the parameter name. After alerting EasyDNNsolutions of the
vulnerability, they informed me that one of the vulnerabilities had already
been fixed and the other would be fixed in an upcoming release.
Example
=================
http://targetsite.com/Blog/Details/blog-post?%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E=1
Solution
========
Upgrade to 7.5
Timeline
========
08/31/15 - Contacted EasyDNNnews about the vulnerability.
09/01/15 - Vendor responds and says the first vulnerability has been fixed
and the other will be in the next release, which was 7.5.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation