Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2016 08:09:27 +0800
From: Carl Peng <>
Subject: CVE request:Exponent CMS 2.3.9 xss vulnerability in worldpay

Hi, I reported the following Cross Site Scripting vulnerability to the
ExponentCMS team on Sep 16, 2016:
line 7-11:
<meta http-equiv="refresh" content="2;url=<?php echo URL_FULL;
?>cart/preprocess?transStatus=<?php echo $_POST["transStatus"];
?>&transId=<?php echo $_POST["transId"]; ?>"> //xss
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
"transStatus", "transId" parameters are fail to sufficiently sanitize.

Proof of concept:
And post:transStatus="/><script>alert(/xss/)</script>

And Now, Cross Site Scripting vulnerability have been fixed.

This issue was reported by Peng Hua of Inc. and I would like
to request a CVE for this issue (if not done so).

Thank you.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.