Exponent CMS 2.3.5- Multiple Cross-Site Scripting Vulnerability
Reported by Sachin Wagh | December 25th, 2015 @ 08:53 PM | in 2.3.7 (closed)
Information
Vulnerability Type : Exponent CMS 2.3.5 - Multiple Cross-Site
Scripting Vulnerability
Vulnerable Version : 2.3.5
CVE-ID :
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)
Description
Exponent CMS is prone to a multiple cross-site scripting vulnerability because it fails to sanitize user-supplied input.
Affected parameters and URL's are mentioned below.
1.http://localhost/exponent-2.3.5/navigation/edit_contentpage/id/1#...
Parameter:
sef_name
canonical
page_title
2.http://localhost/exponent-2.3.5/users/edituser/id/1
Parameter:
firstname
3.http://localhost/exponent-2.3.5/users/manage_groups
Parameter:
name
description
Credits & Authors
Sachin Wagh (@tiger_tigerboy)
Comments and changes to this ticket
-
Sachin Wagh December 26th, 2015 @ 06:43 AM
Thanks dleffer.
Just want to confirm for Parameter Tampering and Cross-Site Scripting assigned same CVE-ID.
Is it correct. Please let me know if its same one or different CVE for both type of issues.So I can go ahead and write advisory/blog.
Thanks again.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
expNinja