Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 22 Sep 2016 11:37:40 +0800
From: 王畅 <>
Subject: CVE Request: XSS Vulnerability in Exponent CMS 2.3.9

Hi, I reported a Cross Site Scripting vulnerability to the
ExponentCMS team on a few days ago:


line 85-86:

$funcNum = $_GET['CKEditorFuncNum'] ;
echo "<script type='text/javascript'>".$funcNum.",
'".$url."', '".$message."');</script>";


"$_GET['CKEditorFuncNum']"  was printed out without any sanitization.


And Now, this vulnerability have been

This issue was reported by Wang Chang of Inc. and I would like
to request a CVE for this issue (if not done so).

Thank you.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.