Bugtraq mailing list archives
Accentis Content Resource Management System - XSS
From: GalaxyCVEcollector () gmail com
Date: Mon, 2 Nov 2015 06:16:04 GMT
# Vulnerability type: Stored Cross Site Scripting # Vendor: http://www.accentis.com.au/ # Product: Accentis Content Resource Management System # Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan # CVE ID: CVE-2015-3425 # PROOF OF CONCEPT (XSS) Accentis Content Resource Management System before October 2015 patch contains Stored Cross-site scripting (XSS) vulnerability which allows authenticated users to inject arbitrary javascript via the following parameter. # VULNERABLE PARAMETER: - ctl00$cph_content$_uig_formState # SAMPLE PAYLOAD - <script>alert(XSS)</script> # TIMELINE - 15/04/2015: Vulnerability found - 09/07/2015: Vendor informed - 09/07/2015: Vendor responded and acknowledged - 28/10/2015: Vendor fixed the issue - 02/11/2015: Public disclosure
Current thread:
- Accentis Content Resource Management System - XSS GalaxyCVEcollector (Nov 02)