#1239 Whole CMS Is Vulnerable To Reflected XSS - Exponent CMS

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#1239 ✓resolved

Whole CMS Is Vulnerable To Reflected XSS

Reported by Narendra Bhati | November 16th, 2014 @ 02:28 PM | in User issues

Hey Exponent CMS

want to report critical conditions of your cms , that your whole cms is vulnerable to Reflected XSS Attack

how ?
Lets see

suppose you heve this ur - http://127.0.0.1/exponent/users/userperms/mod/navigation/int/1

then you just have to xss payload at the end of the url - like this
http://127.0.0.1/exponent/users/userperms/mod/navigation/int/1&quot...;

every single page which have no parameter is vulnerable to same attack

just add "> in every single page which have no xss and you will get the js alert box

Comments and changes to this ticket

dleffler November 16th, 2014 @ 07:28 PM
- Assigned user cleared.
- Milestone set to “User issues”
Are you reporting this as an issue with version 2.3.1patch4? Lighthouse tends to mangle tags in posts, but we are unable to reproduce this anomaly in v2.3.1patch4 (the current release).
- Only a logged-in admin user could run this command (userperms) so the parameters wouldn't be acted on
- We show only normal activity when adding a double quote, followed by an opening script tag, followed by 'alert(7);', followed by a closing script tag. (the payload is stripped out)
If you are able to get this to occur in v2.1.4patch6, v2.2.3patch9, or v2.3.1patch4, please provide more details or a confirmation of my description of your specific url additions.
You flagged this item as spam.
Narendra Bhati November 16th, 2014 @ 07:30 PM
- Assigned user set to “expNinja”
yaa right , i have downloaded the new version of your cms 4 days before !

but for make me sure , kindly send me the link where i can download the new version !
You flagged this item as spam.
Narendra Bhati November 16th, 2014 @ 07:33 PM
i am 100% sure , that i am using 2.1.4 patch 6 which i have downloaded on 14 nov 2014
dleffler November 17th, 2014 @ 09:53 PM
- Assigned user cleared.
The version release package and the patches can be found at either of these locations:
https://sourceforge.net/projects/exponentcms/files/
https://github.com/exponentcms/exponent-cms/releases

Current version is v2.3.1patch4 (install v2.3.1 followed by v2.3.1patch4)

Patches were released for two older versions (latest release prior to a major update)
v2.2.3patch9 (install v2.2.3 followed by v2.2.3patch9)
v2.1.4patch6 (install v2.1.4 followed by v2.1.4patch6)
You flagged this item as spam.
Narendra Bhati December 4th, 2014 @ 07:37 PM
- Assigned user set to “expNinja”
i checked that i am using the latest version which is vulnerable to XSS !
dleffler December 27th, 2014 @ 02:51 PM
- State changed from “new” to “resolved”
- Assigned user cleared.
All XSS exploits are blocked in v2.3.2 (v2.1.4patch7 & v2.2.3patch10)

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins (Sort)

↓↑ drag 156 Open tickets
↓↑ drag 1246 Resolved tickets
↓↑ drag 1 This week's tickets

Exponentcms Exponent CMS → User issues