Lucene search
Ramon JanssenPACKETSTORM:152717HistoryMay 03, 2019 - 12:00 a.m.
Zotonic 0.46 mod_admin Cross Site Scripting
2019-05-0300:00:00
Ramon Janssen
packetstormsecurity.com
41
0.006 Low
EPSS
Percentile
77.6%
`# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
# Date: 24-04-2019
# Exploit Author: RamΓ²n Janssen
# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, RamΓ²n Janssen
# Vendor Homepage: http://zotonic.com/
# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
# Version: <=0.46
# CVE : CVE-2019-11504
Attack type
Remote
Impact
Code Execution
Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
- /admin/overview/ [qcat, qcustompivot, qs]
- /admin/users/ [qs]
- /admin/media/ [qcat,qcustompivot, qs]
Example: https://[host]/admin/overview?qcustompivot="><script>prompt(βXSSβ)</script>
Affected source code file zotonic_mod_admin:
- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
- zotonic_mod_admin_identity\priv\templates\admin_users.tpl
Reference(s)
http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html
`
Related
osv
osv
CVE-2019-11504
2019-04-24 21:29:00
nvd
nvd
CVE-2019-11504
2019-04-24 21:29:00
exploitpack
exploitpack
Zotonic 0.47.0 mod_admin - Cross-Site Scripting
2019-05-03 00:00:00
cvelist
cvelist
CVE-2019-11504
2019-04-24 20:17:35
zdt
zdt
Zotonic < 0.47.0 mod_admin - Cross-Site Scripting Vulnerability
2019-05-03 00:00:00
prion
prion
Cross site scripting
2019-04-24 21:29:00
cve
cve
CVE-2019-11504
2019-04-24 21:29:00
exploitdb
exploitdb
Zotonic < 0.47.0 mod_admin - Cross-Site Scripting
2019-05-03 00:00:00