Fiyo CMS 2.0.2.1 Cross Site Scripting

2016-02-22T00:00:00
ID PACKETSTORM:135887
Type packetstorm
Reporter Sachin Wagh
Modified 2016-02-22T00:00:00

Description

                                        
                                            `*1. Introduction*  
  
Affected Product: Fiyo CMS 2.0.2.1  
Fixed in: Fiyo CMS 2.0.6  
Fixed Version Link:  
http://www.fiyo.org/blog/versi-2-0-6-banyak-perubahan-untuk-stabilitas  
Vendor Website: http://www.fiyo.org/  
Vulnerability Type: Persistent XSS  
Remote Exploitable: Yes  
Reported to vendor: 28/12/2015  
Fixed by Vendor: 15/01/2016  
CVE:  
  
*2. Overview*  
  
There are multiple persistent XSS vulnerabilities in Fiyo CMS 2.0.2.1. The  
vulnerabilities exist due to insufficient filtration of user-supplied data.  
A remote attacker can execute arbitrary HTML and script code in browser in  
context of the vulnerable application.  
  
  
*3. Affected Modules*  
  
Affected fields in the modules are listed below:  
  
i. Users  
User Group -> Group Name, Description  
  
ii. Modules  
Module Details->Judul Modul, Posisi  
  
iii. Menus  
Main Menu-> Menu Details->Nama  
Footer Menu-> Menu Details->Nama  
Categories->Menu Details->Judul Kategori  
Admin Panel-> Menu Details->Nama  
  
Attached POC.  
  
*4. Payload*  
<script>alert('XSS')</script>  
  
  
*5. Credit*  
Himanshu Mehta  
  
*6. Tested By*  
Himanshu Mehta and Sachin Wagh  
mehta.himanshu21@gmail.com  
wsachin092@gmail.com  
`