ID 1337DAY-ID-23941 Type zdt Reporter Arash Khazaei Modified 2015-07-30T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
# Google Dork: N/A
# Date: 28/7/2015
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://tendoo.org/
# Software Link: http://sourceforge.net/projects/tendoo-cms/
# Version: 1.3
# Tested on: Kali , Windows
# CVE : N/A
# Contact : [email protected]
######################
Introduction :
a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
######################
Stored Xss In http://localhost/tendoo/index.php/account/update In First
Name and Last Name Inputs
Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
When First Name And Last Name Loads
JavaScripts Code Will Be Excuted
POC :
https://i.leetfil.es/e992ad2d.jpg
Reflected Xss In http://localhost/tendoo/index.php/account/update?info=
Input Make Execute JavaScripts Codes
POC :
https://i.leetfil.es/454570b1.jpg
You Can See Javascript Alerts In Pictures .
Discovered By Arash Khazaei
# 0day.today [2018-01-03] #
{"id": "1337DAY-ID-23941", "bulletinFamily": "exploit", "title": "Tendoo CMS 1.3 - XSS Vulnerabilities", "description": "Exploit for php platform in category web applications", "published": "2015-07-30T00:00:00", "modified": "2015-07-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/23941", "reporter": "Arash Khazaei", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-01-03T15:10:57", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for php platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T01:49:22", "value": 4.3}}, "hash": "57cf7b7e9efb4036b109c43122d2627e064596d672c2fa8c0a964466d90e8dae", "hashmap": [{"hash": "14609a06e0dd9c213d95e683bb9797b8", "key": "href"}, {"hash": "2bae9ccf27ecef9510e7896b4e51571e", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "17349f1b1e2a055ccd1d9afb78ddc399", "key": "modified"}, {"hash": "17349f1b1e2a055ccd1d9afb78ddc399", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ab901e06d3be5c19ba161d1de1eb4348", "key": "reporter"}, {"hash": "cd6491e075798b395e1ab2ba31af563c", "key": "sourceHref"}, {"hash": "41acbfaba255733bf214cfb03706ef1e", "key": "sourceData"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "history": [], "href": "http://0day.today/exploit/description/23941", "id": "1337DAY-ID-23941", "lastseen": "2016-04-20T01:49:22", "modified": "2015-07-30T00:00:00", "objectVersion": "1.0", "published": "2015-07-30T00:00:00", "references": [], "reporter": "Arash Khazaei", "sourceData": "# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability\r\n# Google Dork: N/A\r\n# Date: 28/7/2015\r\n# Exploit Author: Arash Khazaei\r\n# Vendor Homepage: http://tendoo.org/\r\n# Software Link: http://sourceforge.net/projects/tendoo-cms/\r\n# Version: 1.3\r\n# Tested on: Kali , Windows\r\n# CVE : N/A\r\n# Contact : 0xclay@gmail.com\r\n \r\n######################\r\nIntroduction :\r\na Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS\r\nMake CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .\r\n######################\r\n \r\nStored Xss In http://localhost/tendoo/index.php/account/update In First\r\nName and Last Name Inputs\r\nExcute Java Script Codes And If Admin Or Any Body Come In Attacker Profile\r\nWhen First Name And Last Name Loads\r\nJavaScripts Code Will Be Excuted\r\nPOC :\r\n \r\nhttps://i.leetfil.es/e992ad2d.jpg\r\n \r\nReflected Xss In http://localhost/tendoo/index.php/account/update?info=\r\nInput Make Execute JavaScripts Codes\r\nPOC :\r\nhttps://i.leetfil.es/454570b1.jpg\r\n \r\nYou Can See Javascript Alerts In Pictures .\r\n \r\nDiscovered By Arash Khazaei\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/23941", "title": "Tendoo CMS 1.3 - XSS Vulnerabilities", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:49:22"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "b1c88b6103cad1a289e9f1b312f59ba0"}, {"key": "modified", "hash": "17349f1b1e2a055ccd1d9afb78ddc399"}, {"key": "published", "hash": "17349f1b1e2a055ccd1d9afb78ddc399"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ab901e06d3be5c19ba161d1de1eb4348"}, {"key": "sourceData", "hash": "9fe2c3abb6ff72e57a55f982d9ca3f2b"}, {"key": "sourceHref", "hash": "0399debb87dda93fc8702ea460d6f8a5"}, {"key": "title", "hash": "2bae9ccf27ecef9510e7896b4e51571e"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "02a8a9c3b78390737bcd67a87e5c554dbf0dce7489d7356a00f3141f9ca0b038", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/23941", "sourceData": "# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability\r\n# Google Dork: N/A\r\n# Date: 28/7/2015\r\n# Exploit Author: Arash Khazaei\r\n# Vendor Homepage: http://tendoo.org/\r\n# Software Link: http://sourceforge.net/projects/tendoo-cms/\r\n# Version: 1.3\r\n# Tested on: Kali , Windows\r\n# CVE : N/A\r\n# Contact : [email\u00a0protected]\r\n \r\n######################\r\nIntroduction :\r\na Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS\r\nMake CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .\r\n######################\r\n \r\nStored Xss In http://localhost/tendoo/index.php/account/update In First\r\nName and Last Name Inputs\r\nExcute Java Script Codes And If Admin Or Any Body Come In Attacker Profile\r\nWhen First Name And Last Name Loads\r\nJavaScripts Code Will Be Excuted\r\nPOC :\r\n \r\nhttps://i.leetfil.es/e992ad2d.jpg\r\n \r\nReflected Xss In http://localhost/tendoo/index.php/account/update?info=\r\nInput Make Execute JavaScripts Codes\r\nPOC :\r\nhttps://i.leetfil.es/454570b1.jpg\r\n \r\nYou Can See Javascript Alerts In Pictures .\r\n \r\nDiscovered By Arash Khazaei\n\n# 0day.today [2018-01-03] #"}