Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Jan 2015 19:02:53 +0100
From: Steffen Rösemann <>
Subject: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS
 vulnerability in filemanager functionality

Hi Josh, Steve, vendors, list.

I found a reflecting XSS vulnerability in CMS b2evolution v.5.2.0
(release-date: 30th Dec 2014). It is located in its filemanager
functionality, which can be accessed in the administrative backend by the
following URL (assuming a common b2evolution installation):


The "fm_filter" parameter is vulnerable to XSS attacks and can be exploited
by an attacker like in the following example:


Could you please assign a CVE-ID for it?

Thank you very much!


Steffen Rösemann



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.