Fiyo CMS Cross Site Scripting

Type packetstorm
Reporter Sachin Wagh
Modified 2016-02-22T00:00:00


                                            `*1. Introduction*  
Affected Product: Fiyo CMS  
Fixed in: Fiyo CMS 2.0.6  
Fixed Version Link:  
Vendor Website:  
Vulnerability Type: Persistent XSS  
Remote Exploitable: Yes  
Reported to vendor: 28/12/2015  
Fixed by Vendor: 15/01/2016  
*2. Overview*  
There are multiple persistent XSS vulnerabilities in Fiyo CMS The  
vulnerabilities exist due to insufficient filtration of user-supplied data.  
A remote attacker can execute arbitrary HTML and script code in browser in  
context of the vulnerable application.  
*3. Affected Modules*  
Affected fields in the modules are listed below:  
i. Users  
User Group -> Group Name, Description  
ii. Modules  
Module Details->Judul Modul, Posisi  
iii. Menus  
Main Menu-> Menu Details->Nama  
Footer Menu-> Menu Details->Nama  
Categories->Menu Details->Judul Kategori  
Admin Panel-> Menu Details->Nama  
Attached POC.  
*4. Payload*  
*5. Credit*  
Himanshu Mehta  
*6. Tested By*  
Himanshu Mehta and Sachin Wagh