Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 22 Dec 2015 10:49:39 +0000
From: CSW Research Lab <disclose@...ersecurityworks.com>
To: "cve-assign@...re.org" <cve-assign@...re.org>, 
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Symphony CMS 2.6.3 - Multiple Reflected Cross-site
 Scripting Vulnerability

Hi all

can you please assign CVE for this issue ?

Description
***************
Symphony CMS 2.6.3 is prone to Cross-site scripting vulnerability because
it fails to sanitize user-supplied input in default email settings.An
attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user of the affected site.


Proof of Concept URL
***************************
[+] http://192.168.56.101/symphony/symphony/system/preferences/

Vulnerable Parameter
**************************
[+] email_sendmail[from_name]
[+] email_sendmail[from_address]
[+] email_smtp[from_name]
[+] email_smtp[from_address]
[+] email_smtp[host]
[+] email_smtp[port]
[+] it_image_manipulation[trusted_external_sites]
[+] maintenance_mode[ip_whitelist]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ