CVE Request -- CMS e107 v.1.0.4 -- Reflecting XSS vulnerability in filemanager functionality

[Steffen Rösemann <steffen.roesemann1986 () gmail com>]

Hi Josh, Steve, vendors, list.

I found a reflecting XSS vulnerability in the filemanager functionality in
the administrative backend of CMS e107 v.1.0.4.

It can be exploited by an attacker like in the following example:

http://{TARGET}/e107_admin/filemanager.php?e107_files/%3C%73%63%72%69%70%74%3Ealert(String.fromCharCode(34,
88, 83, 83,
34))%3C%2F%73%63%72%69%70%74%3E%3C!--%3C%2F%73%63%72%69%70%74%3E%3C!--

Could you please assign a CVE-ID for it?

Thank you!

Greetings.

Steffen Rösemann

References:

[1] http://e107.org/
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-05.html
[3] https://github.com/e107inc/e107v1/issues/2
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html
[5] http://seclists.org/fulldisclosure/2015/Jan/18