#1324 new
Sachin Wagh

Exponent CMS 2.3.5- Multiple Cross-Site Scripting Vulnerability

Reported by Sachin Wagh | December 25th, 2015 @ 08:53 PM | in 2.3.7 (closed)

Information

Vulnerability Type : Exponent CMS 2.3.5 - Multiple Cross-Site Scripting Vulnerability
Vulnerable Version : 2.3.5
CVE-ID :
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)

Description

Exponent CMS is prone to a multiple cross-site scripting vulnerability because it fails to sanitize user-supplied input.

Affected parameters and URL's are mentioned below.

1.http://localhost/exponent-2.3.5/navigation/edit_contentpage/id/1#...

Parameter:

sef_name
canonical
page_title

2.http://localhost/exponent-2.3.5/users/edituser/id/1

Parameter:

firstname

3.http://localhost/exponent-2.3.5/users/manage_groups

Parameter:

name
description


Credits & Authors
Sachin Wagh (@tiger_tigerboy)

Comments and changes to this ticket

  • Sachin Wagh

    Sachin Wagh December 26th, 2015 @ 06:43 AM

    Thanks dleffer.

    Just want to confirm for Parameter Tampering and Cross-Site Scripting assigned same CVE-ID.

    Is it correct. Please let me know if its same one or different CVE for both type of issues.So I can go ahead and write advisory/blog.

    Thanks again.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Attachments

Tags

Pages