Date: Fri, 26 Jun 2015 22:30:46 +0530 From: Anirudh Anand <anirudhanand722@...il.com> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE Request - BigTree CMS - Stored XSS while creating a new user Hello all, BigTree CMS is a popular Content Management System written in PHP. While creating a new user, the "*Name*" and "*Company*" parameters are not properly sanitized and it leads to stored XSS. *Date:* 25th June, 2015 *Exploit Author:* Anirudh Anand *Vendor Homepage*: https://www.bigtreecms.org/ *Software Link:* https://www.bigtreecms.org/download/ *Version: *< 4.2.2 *Tested on:* Linux:- Ubuntu, Debian The issue has been successfully reported to vendor and they have released an update for the same. *References: * *Bug Report:* https://github.com/bigtreecms/BigTree-CMS/issues/205 *Fix Released:* https://github.com/bigtreecms/BigTree-CMS/commit/e13aa4795cdeb1ab1dc0f5fd0b66df2d1296591d -- Anirudh Anand bi0s@...ITA www.securethelock.com *"Those who Say it cannot be done, should not interrupt the people doing it"*
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.