Lucene search
Alwin Peppels1337DAY-ID-29812HistoryFeb 17, 2018 - 12:00 a.m.
Joomla Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 Component - Cross-Site Scripting
2018-02-1700:00:00
Alwin Peppels
0day.today
43
0.001 Low
EPSS
Percentile
45.7%
Exploit for php platform in category web applications
# Exploit Title: Joomla! Component SIGE version <= 3.2.3 Cross-site Scripting
# Software Link: https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.2.3.zip
# Exploit Author: Alwin Peppels
# Website: www.onvio.nl
# CVE: CVE-2017-16356
# Category: webapps
1. Description
Kubik-Rubik Simple Image Gallery Extended (SIGE) contains an XSS in the
'print.php' file.
Insufficient sanitization of the 'caption' URL parameter allows injection
of Javascript into the page.
In versions <= 3.2.0 the 'name' and 'img' parameters are vulnerable as well.
Google dork: inurl:plugin_sige/print.php
The version of the SIGE plugin can be determined with this file:
[JOOMLA]/plugins/content/sige/sige.xml
2. Proof of Concept
[JOOMLA]/plugins/content/sige/plugin_sige/print.php?img=x&caption=<img%20src=x%20onerror=alert(%27XSS%27)>
3. Solution:
Update to version 3.3.0
https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.3.0.zip
# 0day.today [2018-04-11] #Related
exploitpack
exploitpack
packetstorm
packetstorm
Joomla Kubik-Rubik SIGE 3.2.3 Cross Site Scripting
2018-02-16 00:00:00
prion
prion
Cross site scripting
2018-02-20 15:29:00
joomla
joomla
cve
cve
CVE-2017-16356
2018-02-20 15:29:00
cvelist
cvelist
CVE-2017-16356
2018-02-20 15:00:00
nvd
nvd
CVE-2017-16356
2018-02-20 15:29:00
exploitdb
exploitdb