Date: Fri, 26 Jun 2015 22:30:46 +0530 From: Anirudh Anand <anirudhanand722@...il.com> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE Request - BigTree CMS - Stored XSS while creating a new user Hello all, BigTree CMS is a popular Content Management System written in PHP. While creating a new user, the "*Name*" and "*Company*" parameters are not properly sanitized and it leads to stored XSS. *Date:* 25th June, 2015 *Exploit Author:* Anirudh Anand *Vendor Homepage*: https://www.bigtreecms.org/ *Software Link:* https://www.bigtreecms.org/download/ *Version: *< 4.2.2 *Tested on:* Linux:- Ubuntu, Debian The issue has been successfully reported to vendor and they have released an update for the same. *References: * *Bug Report:* https://github.com/bigtreecms/BigTree-CMS/issues/205 *Fix Released:* https://github.com/bigtreecms/BigTree-CMS/commit/e13aa4795cdeb1ab1dc0f5fd0b66df2d1296591d -- Anirudh Anand bi0s@...ITA www.securethelock.com *"Those who Say it cannot be done, should not interrupt the people doing it"*
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ