oss-sec mailing list archives
Re: CVE Request -- CMS e107 v.1.0.4 -- Reflecting XSS vulnerability in filemanager functionality
From: cve-assign () mitre org
Date: Sun, 11 Jan 2015 09:47:55 -0500 (EST)
Hi Josh, Steve, vendors, list. I found a reflecting XSS vulnerability in the filemanager functionality in the administrative backend of CMS e107 v.1.0.4. It can be exploited by an attacker like in the following example: http://{TARGET}/e107_admin/filemanager.php?e107_files/%3C%73%63%72%69%70%74%3Ealert(String.fromCharCode(34, 88, 83, 83, 34))%3C%2F%73%63%72%69%70%74%3E%3C!--%3C%2F%73%63%72%69%70%74%3E%3C!-- Could you please assign a CVE-ID for it? Thank you! Greetings. Steffen R??semann References: [1] http://e107.org/ [2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-05.html [3] https://github.com/e107inc/e107v1/issues/2 [4] http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html [5] http://seclists.org/fulldisclosure/2015/Jan/18
Use CVE-2015-1041. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE Request -- CMS e107 v.1.0.4 -- Reflecting XSS vulnerability in filemanager functionality Steffen Rösemann (Jan 09)
- Re: CVE Request -- CMS e107 v.1.0.4 -- Reflecting XSS vulnerability in filemanager functionality cve-assign (Jan 11)