Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2016 08:09:27 +0800
From: Carl Peng <>
Subject: CVE request:Exponent CMS 2.3.9 xss vulnerability in worldpay

Hi, I reported the following Cross Site Scripting vulnerability to the
ExponentCMS team on Sep 16, 2016:
line 7-11:
<meta http-equiv="refresh" content="2;url=<?php echo URL_FULL;
?>cart/preprocess?transStatus=<?php echo $_POST["transStatus"];
?>&transId=<?php echo $_POST["transId"]; ?>"> //xss
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
"transStatus", "transId" parameters are fail to sufficiently sanitize.

Proof of concept:
And post:transStatus="/><script>alert(/xss/)</script>

And Now, Cross Site Scripting vulnerability have been fixed.

This issue was reported by Peng Hua of Inc. and I would like
to request a CVE for this issue (if not done so).

Thank you.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ