
Whole CMS Is Vulnerable To Reflected XSS
Reported by Narendra Bhati | November 16th, 2014 @ 02:28 PM | in User issues
Hey Exponent CMS
want to report critical conditions of your cms , that your whole cms is vulnerable to Reflected XSS Attack
how ?
Lets see
suppose you heve this ur - http://127.0.0.1/exponent/users/userperms/mod/navigation/int/1
then you just have to xss payload at the end of the url - like
this
http://127.0.0.1/exponent/users/userperms/mod/navigation/int/1"...;
every single page which have no parameter is vulnerable to same attack
just add "> in every single page which have no xss and you will get the js alert box
Comments and changes to this ticket
-
dleffler November 16th, 2014 @ 07:28 PM
- Assigned user cleared.
- Milestone set to User issues
Are you reporting this as an issue with version 2.3.1patch4? Lighthouse tends to mangle tags in posts, but we are unable to reproduce this anomaly in v2.3.1patch4 (the current release).
- Only a logged-in admin user could run this command (userperms) so the parameters wouldn't be acted on
- We show only normal activity when adding a double quote, followed by an opening script tag, followed by 'alert(7);', followed by a closing script tag. (the payload is stripped out)
If you are able to get this to occur in v2.1.4patch6, v2.2.3patch9, or v2.3.1patch4, please provide more details or a confirmation of my description of your specific url additions.
-
Narendra Bhati November 16th, 2014 @ 07:30 PM
- Assigned user set to expNinja
yaa right , i have downloaded the new version of your cms 4 days before !
but for make me sure , kindly send me the link where i can download the new version !
-
Narendra Bhati November 16th, 2014 @ 07:33 PM
i am 100% sure , that i am using 2.1.4 patch 6 which i have downloaded on 14 nov 2014
-
dleffler November 17th, 2014 @ 09:53 PM
- Assigned user cleared.
The version release package and the patches can be found at either of these locations:
https://sourceforge.net/projects/exponentcms/files/
https://github.com/exponentcms/exponent-cms/releasesCurrent version is v2.3.1patch4 (install v2.3.1 followed by v2.3.1patch4)
Patches were released for two older versions (latest release prior to a major update)
v2.2.3patch9 (install v2.2.3 followed by v2.2.3patch9)
v2.1.4patch6 (install v2.1.4 followed by v2.1.4patch6) -
Narendra Bhati December 4th, 2014 @ 07:37 PM
- Assigned user set to expNinja
i checked that i am using the latest version which is vulnerable to XSS !
-
dleffler December 27th, 2014 @ 02:51 PM
- State changed from new to resolved
- Assigned user cleared.
All XSS exploits are blocked in v2.3.2 (v2.1.4patch7 & v2.2.3patch10)
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS